Justin,
Thank you very much !!!
I just tested Justin's "security hole" page.
http://solair.eunet.yu/~justin/
After sending the info to him, I edited the page and sent it to my
own address.
This is the eMail I just received:
> Received: from SOLAIR.EUnet.yu (SOLAIR.EUnet.yu [194.247.192.52])
> by smtp.cisnet.com (8.8.5/8.8.7) with ESMTP id SAA17182
> for <[EMAIL PROTECTED]>; Sat, 1 Apr 2000 18:09:19 -0500 (EST)
> Received: (from nobody@localhost)
> by SOLAIR.EUnet.yu (8.9.3/8.9.3) id BAA15924;
> Sun, 2 Apr 2000 01:11:02 +0200 (MET DST)
> Date: Sun, 2 Apr 2000 01:11:02 +0200 (MET DST)
> Message-Id: <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> From: ()
> Subject: Arachne security test
> X-UIDL: b63ec7cb3470bcf52ee0e82632214ef2
>
> Below is the result of your feedback form. It was submitted by () on Sunday,
April 2, 19100 at 01:11:01
> ---------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> REMOTE_HOST: pm193.cisnet.com
> REMOTE_ADDR: 204.179.144.93
> REMOTE_USER:
> REMOTE_IDENT:
> HTTP_USER_AGENT: xChaos_Arachne/4.1.61 (DOS x86;WATTCP/1.05; 800x600,HiColor;
www.arachne.cz)
>
>
As you can see... No "security hole" exists in v1.61
But...... here it is with v1.50,s.r.c. and v1.50,b2
> Received: from SOLAIR.EUnet.yu (SOLAIR.EUnet.yu [194.247.192.52])
> by smtp.cisnet.com (8.8.5/8.8.7) with ESMTP id SAA17852
> for <[EMAIL PROTECTED]>; Sat, 1 Apr 2000 18:29:13 -0500 (EST)
> Received: (from nobody@localhost)
> by SOLAIR.EUnet.yu (8.9.3/8.9.3) id BAA19512;
> Sun, 2 Apr 2000 01:30:58 +0200 (MET DST)
> Date: Sun, 2 Apr 2000 01:30:58 +0200 (MET DST)
> Message-Id: <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> From: ()
> Subject: Arachne v1.50,s.r.c. security test
> X-UIDL: f246dadc40da221ec06cd61caf8e8c7c
>
> Below is the result of your feedback form. It was submitted by () on Sunday,
April 2, 19100 at 01:30:57
> ---------------------------------------------------------------------------
>
> ime: glennmcc
>
> ---------------------------------------------------------------------------
> REMOTE_HOST: pm164.cisnet.com
> REMOTE_ADDR: 204.179.144.64
> REMOTE_USER:
> REMOTE_IDENT:
> HTTP_USER_AGENT: xChaos_Arachne/1.50;s.r.c. (DOS x86; 800x600,HiColor;
home.arachne.cz)
>
> Received: from SOLAIR.EUnet.yu (SOLAIR.EUnet.yu [194.247.192.52])
> by smtp.cisnet.com (8.8.5/8.8.7) with ESMTP id SAA17980
> for <[EMAIL PROTECTED]>; Sat, 1 Apr 2000 18:32:31 -0500 (EST)
> Received: (from nobody@localhost)
> by SOLAIR.EUnet.yu (8.9.3/8.9.3) id BAA20044;
> Sun, 2 Apr 2000 01:34:16 +0200 (MET DST)
> Date: Sun, 2 Apr 2000 01:34:16 +0200 (MET DST)
> Message-Id: <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> From: ()
> Subject: Arachne v1.50,b2 security test
> X-UIDL: 03b55842bb1f719220183d739d38c124
>
> Below is the result of your feedback form. It was submitted by () on Sunday,
April 2, 19100 at 01:34:16
> ---------------------------------------------------------------------------
>
> ime: glennmcc
>
> ---------------------------------------------------------------------------
> REMOTE_HOST: pm42.cisnet.com
> REMOTE_ADDR: 207.17.254.2
> REMOTE_USER:
> REMOTE_IDENT:
>HTTP_USER_AGENT: xChaos_Arachne/1.50;beta (DOS x86; 800x600,HiColor;
http://home.arachne.cz/)
>
I'll test it now to see if someone could just as easily get my password.
-------
Oh, S**T!!!!
My PPPpassword was just eMailed to me. (using v1.50,s.r.c.)
My advice to anyone concerned with security:
Upgrade immediately to v1.61
Justin,
Thank you again for telling us about this.
---------
On Sat, 1 Apr 2000 13:46:08 +0200 (MET DST), Justin Laslo wrote:
> Dear mr Polak,
> Sorry for disturbing You. I must write You, because I think that there is
> a safety problem in your program. I think that you didn't hear
> about it yet. I found your program on the Internet. I needed a program that
> can run on 286 with 1 Mb RAM. I found Arachne, I use it since then for www.
> I use my own program for mail. I don't like very much the part of Arachne
that
> exchanges mail, but my computer is too slow and it coud be the reason why.
> Anyway, Arachne is quiet good, and I'm satisfied with it.
> Maybe I'll register for it one day...
> I recently saw on the homepage the new 1.61 version available. I didn't
> download it yet, all this written down depends on 1.50 version. I think,
> this mistake is not corrected yet.
> Unfortunately, in the HTML files that are downloaded from the Internet
> by Arachne if there is a form, then here a Hacker can add any tags definied
> in the official Arachne extensions to HTML. (For instance:
> <INPUT TYPE=HIDDEN NAME=anything ARACHNECFGVALUE=something> )
> In this way, he can find data that are stored in the file Arachne.cfg.
> If you wisit my website solair.eunet.yu/~justin you can see an
> example for this. (This doesn't download important information - only
> username and similar, exept the password) All this happens, when the
> user clics on the "submit" button. (By me: "GLAVNI DEO PREZENTACIJE"
> that means: the next part of the presentation in my language )
> My hompage sends an e-mail if you click to the submit button that
> includes the username if he uses Arachne.
> Please, write me if you know about this problem!
> Yours faitfully,
> Justin
--
Glenn McCorkle [EMAIL PROTECTED] North Jackson, Ohio, USA
DOS prog. for QV cameras http://www.angelfire.com/id/glenndoom/qvplay.html
Other stuff http:[EMAIL PROTECTED]/
Arachne, The Web Browser for DOS
Open the 'DOOR' to the WWW. Keep the 'windows' closed.
http://arachne.browser.org/ http://arachne.cz/
