> I was thinking about the sendmail attack working from the inside as > opposed to the outside and it occured to me that gopher sends email > (upon request) to transmit a file to the person using the gopher server. > Could this be used (by sending the mail to another user on the gopher > server) to launch the sendmail attack as an insider? Probably not, > but I just thought I'd ask. I'm relatively familiar with the UMN gopher software, and my impression is that the Unix gopher client will send mail (i.e. mailing files to oneself), but the Unix gopher server does not send mail. Exceptions to this may occur in scripts added to process gopher+ ASK forms or other gateways, but I don't think sending mail is required to support the data types and gateways built into the UMN gopherd. I'm not 100% sure of this... but a quick grep of the 2.1.3 sources tends to confirm that references to sending mail are only in the client. Gopher gateways and WWW CGI scripts seem like potential vulnerablities for many systems, since they are passed around between sites but get less checking than the main server code. -- Albert Lunde Albert-Lunde@nwu.edu