|Title:||Proxy accepts gopher:// requests|
The proxy accepts gopher:// requests.
Gopher is an old network protocol which predates HTTP and
is nearly unused today. As a result, gopher-compatible
software is generally less audited and more likely to contain
security bugs than others.
By making gopher requests, an attacker may evade your firewall
settings, by making connections to port 70, or may even exploit
arcane flaws in this protocol to gain more privileges on this
host (see the attached CVE id for such an example).
Solution : reconfigure your proxy so that it refuses gopher requests.
Risk factor : Medium
BugTraq ID: 4930|
Common Vulnerability Exposure (CVE) ID: CVE-2002-0371
Bugtraq: 20020604 Buffer overflow in MSIE gopher code (Google Search)
Bugtraq: 20020613 Flawed workaround in MS02-027 -- gopher can run on _any_ port, not just 70 (Google Search)
Bugtraq: 20020613 Microsoft releases critical fix that breaks their own software! (Google Search)
CERT/CC vulnerability note: VU#440275
Microsoft Security Bulletin: MS02-027
|Copyright||This script is Copyright (C) 2003 Renaud Deraison|
|This is only one of 97459 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.