Great Circle Associates Firewalls
(April 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

From: anthony_starks @ merck . com (Anthony Starks)
Date: Fri, 8 Apr 1994 20:52:57 -0400
To: firewalls @ greatcircle . com

This is from the URL:

   Note: This problem only affects the X Windowing System versions of
   NCSA Mosaic. The Mac and MS Windows versions are not affected by this

   This problem could result in the Mosaic client arbitrarily executing
   any UNIX command when the user clicked on a link to telnet, tn3270, or
   rlogin URL. This could happen because the official form of the string
   passed to this kind of URL was user @
 machine:password, and the machine
   string was just being passed on to the UNIX system() command. By
   passing strings such as

	machine; unix_command

   The command after the ';' was being executed with all the permissions
   of the Mosaic user.

   As of Mosaic 2.3 this problem has been fixed. The fix is made up of
   two changes as outlined below.
    1. Use fork()/execlp() instead of system().
    2. MITs xterm currently uses exec(), but there are no guarantees
	about custom xterms, so before passing on the information to
	execlp(), the port number is required to be in the range 1-65535.
	Also, the hostname and username are both allowed to only contain
	the alphanumeric characters, plus '.', '_', '-', and '+'. The
	characters '-' and '+' are not allowed to be leading characters.
	This should prevent any harmful commands being executed, even on a
	machine whose version of xterm does use system().

Indexed By Date Previous: unplugging...
From: hobbit @ ftp . com (*Hobbit*)
Next: Re: unplugging...
From: sdw @ meaddata . com (Stephen Williams)
Indexed By Thread Previous: Re: unplugging...
From: Brad Huntting <huntting @ csn . org>
Next: BayLISA April Meeting: Paul Vixie
From: pomeranz @ sclara . qms . com (Hal Pomeranz)

Search Internet Search