This is from the URL:
Note: This problem only affects the X Windowing System versions of
NCSA Mosaic. The Mac and MS Windows versions are not affected by this
This problem could result in the Mosaic client arbitrarily executing
any UNIX command when the user clicked on a link to telnet, tn3270, or
rlogin URL. This could happen because the official form of the string
passed to this kind of URL was user @
machine:password, and the machine
string was just being passed on to the UNIX system() command. By
passing strings such as
The command after the ';' was being executed with all the permissions
of the Mosaic user.
As of Mosaic 2.3 this problem has been fixed. The fix is made up of
two changes as outlined below.
1. Use fork()/execlp() instead of system().
2. MITs xterm currently uses exec(), but there are no guarantees
about custom xterms, so before passing on the information to
execlp(), the port number is required to be in the range 1-65535.
Also, the hostname and username are both allowed to only contain
the alphanumeric characters, plus '.', '_', '-', and '+'. The
characters '-' and '+' are not allowed to be leading characters.
This should prevent any harmful commands being executed, even on a
machine whose version of xterm does use system().