Bugtraq mailing list archives
Re: Is _your_ Netscape under remote control
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Sat, 25 May 1996 07:09:01 -0400
Obviously, the *temporary solution* as stated on Netscape's page is to disable client access via xhost, however it bugs me that Netscape can be controlled remotely.
That's the price you pay for running binary-only commercial software, you get what the software vendor chooses to give you.
This ''feature'' by Netscap seems utterly pointless, since to have a web server control your netscape you would have to disable security (xhost +) or manually add the site to the access control list, assuming that the site is ''safe''.
Yeah, to have a web server control the browser, that's true. I don't think the intended client of this protocol is the web server; more likely, it's intended for other local programs. For example, one could use it to run canned demos by having a process sitting around pushing netscape from page to page in a pre-scripted manner, while netscape is positioned and sized so that nothing but the page itself is visible on the screen (borders and buttons and such are all off-screen). Or one could use it as someone else already suggested, so that you can click on a URL in an editor, or type it to a command-line tool, and have netscape show it. Or I'm sure there are plenty of other things one could do with it. It is a security problem, but not as large a one as some people seem to feel. Generally speaking, if your X display is open to a process, that process can do anything - and thus for normal use you don't want to run with your display open. However, if a process can connect to a display, it can't do anything that other clients on that display aren't capable of. This "feature" means that if you have a netscape running on that display, you have now opened up the filesystem of the machine netscape is running on. (If there are no xterms or any other client capable of shell access or writing to files, then the attacking client can disrupt the X session but nothing more.) der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: Is _your_ Netscape under remote control Montserrat Mirman Castillo (May 24)
- Re: your mail Hrvoje Dogan (May 27)
- <Possible follow-ups>
- Re: Is _your_ Netscape under remote control Jeff Uphoff (May 24)
- Re: Is _your_ Netscape under remote control Dominique Avatravaux (May 24)
- Re: Is _your_ Netscape under remote control der Mouse (May 25)
- Re: Is _your_ Netscape under remote control Tim Evans (May 27)
- Re: Is _your_ Netscape under remote control Warner Losh (May 27)