jkp@cs.HUT.FI (Jyrki Kuoppala) (08/04/90)
In article <1628@excelan.COM>, donp@novell.com (don provan) writes: >OK, this discussion has gotten out of hand and i'm afraid some >innocent novice it going to believe some of this misinformation. > >While it is true that ports lower than 1024 are reserved on many >systems, that has nothing whatsoever to do with the HP bug that's being >discussed here. The port given in the FTP PORT command is a *remote* >port. There's no justification at all for HP checking this port for >any range of any type for any reason. It should just use the port >given. I don't even understand what prompted some misguided soul to >add the extra, unnecessary code needed to make this check. I'm not familiar with the HP bug, but sounds like it's a kludge to fix the same security problem that an UCB-bug-fixes posting fixes in September 1987. If the kind of checking that HP does is not done, it may be possible to exploit the security weakness to some other machines; I wonder if HP themselves have left the UCB-fix unapplied becaused they 'fixed' it the other way. The exact nature of the security problem is left as an exercise to the reader. By the way, IMHO the UCB fix is also a horrible kludge, as is the concept of the privileged TCP/IP ports altogether, but it was an useful kludge at the time and it still is. >I applaud the IBM developers for making this simple change to >accommodate the HP implementation, but i want everyone to understand >that the HP implementation is, in fact, broken. Yes, although it does close a security hole in some environments. //Jyrki