HTML multipart/report

Olivier CALEFF caleff@apogee-com.fr
Fri, 12 Jun 1998 09:13:33 +0200


At 14:03 10/06/98 -0400, James Croall wrote:

>At 12:42 PM 6/10/98 +0100, you wrote:

>>Gauntlet blocks multipart data coming through the http proxy.  Anyone
know

>>of current problems with this type of data?

>

>Don't quote me on this, but I think that dates back to a problem with
Netscape

>Navigator. A while back the Netscape "file upload bug" got quite a bit
of

>press,

>which allowed a malicious web site to steal files from user's
workstations.

>That

>option allowed the firewall administrator to protect everybody with 
one

>setting.


You are right, it dates back to June 1997, http-gw patch level 17 at that
time. At that time, the README said :

<bigger>

Adds support for "deny-feature multipart-form" to block
multipart/form-data. Supports blocking of file upload due to Netscape
bug.

</bigger>



--

+------------------------------------------------------------------------+

|                  Olivier CALEFF, Chief Technical Officer               |

| APOGEE Communications, Parc Club Orsay Universite, 91893 Orsay, FRANCE |

| mailto:caleff@apogee-com.fr                   http://www.apogee-com.fr |

| phone: +33.1.69852728 == fax: +33.1.69855763 == mobile: +33.6.08741864 |

+------------------------------------------------------------------------+

|Network/Systems Management| Security|Consultancy |Call Centers| Training|

+------------------------------------------------------------------------+