Re: Netscape && FTP sites

• To: "Seth I. Rich" <seth@hygnet.com>
• Subject: Re: Netscape && FTP sites
• From: Gene Ingram <gene@hpfsvr01.cup.hp.com>
• Date: Wed, 13 Mar 1996 09:42:49 -0800
• Cc: www-security@ns2.rutgers.edu
• Organization: Hewlett-Packard Co.
• References: <199603121800.NAA00266@arkady.hygnet.com>
• Reply-To: gene@hpfsvr01.cup.hp.com

Seth I. Rich wrote:
> 
> I was recently looking for documentation on the Netscape site and I found
> something which disturbed me a bit.  (The Netscape site isn't lynx-friendly,
> so I can't search it now for a citation.)
> 
> Is it true that, when connecting to an anonymous FTP site, Netscape sends
> username anonymous and password "mozilla@<site>"?  It was my understanding
> (in fact, the FTP sites I maintain say this explicitly) that the password
> specified is to be the email address of the person requesting (or submitting)
> the data.  What I recall reading is that Netscape -always- sends this bogus
> address even if the user has entered her real address into the browser's
> configuration.
> 
> Is this true?  Does this seem like a problem to anyone else?  Is it patchable?
> 
> Seth
> ---------------------------------------------------------------------------
> Seth I. Rich - seth@hygnet.com - (610) 859-0100
> Systems Administrator / Webmaster, HYGNet       My words are my own; please
> Rabbits on walls, no problem.                   don't blame my employer!

I've seen a simple but eloquent solution possibly implemented.  When I go to
some FTP sites (can't remember which ones) and leave my Netscape mail
preferences blank, it says something like, "invalid user/ID please enter your
email address as anonymous ID" or whatever.  Here is what I suspect is
occurring:

If the ftp site gets "mozilla@<site>" or any string "mozilla," it refuses to
allow anonymous login same as if a user didn't give any address as password (and
in fact I know this must be happening because some sites look for ``@'' to
determine if valid email address is entered).

Here's what's interesting:  when I enter any valid email address format (not
containing string mozilla of course, but it can be a bogus address) in mail
preferences, abovementioned ftp sites accept my ftp login.  This implies that
Netscape doesn't -always- send the bogus address "mozilla.." but only when mail
prefs are left blank.  Sorry I can't be more specific.  Bottom line is I'd have
your ftp site reject any email addresses containing string "mozilla" then test
it using Netscape Navigator..  (Just got the idea why can't ftp sites also
finger email addressed given to see if it's valid before allowing anonymous
access, sorry to think out loud..)

-- 

____________________________________________________________
Gene Ingram                                  gene@cup.hp.com
                                     ingram@pubs.holosys.com

• Re: Netscape && FTP sites
• From: Karl Boyken <boyken@cs.uiowa.edu>
• Re: Netscape && FTP sites
• From: Dana Hudes <dhudes@panix.com>

• Netscape && FTP sites
• From: "Seth I. Rich" <seth@hygnet.com>

• Previous: Re: Netscape && FTP sites
• Next: Re: Re[2]: Java "security holes'
• Index(es):
  • Index
  • Thread