Telnet URL Security Problem: Details

Note: This problem only affects the X Window System versions of NCSA Mosaic. The Mac and MS Windows versions are not affected by this problem!

This problem could result in the Mosaic client arbitrarily executing any UNIX command when the user clicked on a link to telnet, tn3270, or rlogin URL. This could happen because the official form of the string passed to this kind of URL was user@machine:password, and the machine string was just being passed on to the UNIX system() command. By passing strings such as

	machine; unix_command
The command after the ';' was being executed with all the permissions of the Mosaic user.

As of Mosaic 2.3 this problem has been fixed. The fix is made up of two changes as outlined below.

  1. Use fork()/execlp() instead of system().
  2. MITs xterm currently uses exec(), but there are no guarantees about custom xterms, so before passing on the information to execlp(), the port number is required to be in the range 1-65535. Also, the hostname and username are both allowed to only contain the alphanumeric characters, plus '.', '_', '-', and '+'. The characters '-' and '+' are not allowed to be leading characters. This should prevent any harmful commands being executed, even on a machine whose version of xterm does use system().

General Mosaic Security Concerns