Mosaic Security Issues and Responses
- Mosaic 2.2, and all previous version of the NCSA Mosaic for the X
Window System have a serious security hole that allows telnet URLs
to execute an arbitrary UNIX command. The immediate action was to inform
people how to
disable telnet URLs.
As of Mosaic 2.3 this bug has been fixed, for more information
read about the details of the
telnet URL problem.
- There was once a concern with Mosaic using ghostview as a postscript
viewer, because postscript can be insecure. The new version of
ghostscript (Version 2.6.1) used by ghostview runs in secure mode
by default, so this is no longer an issue.
- There is a way (involving reconfiguration of both client and server)
to have Mosaic execute any arbitrary shell script that is passed over
the network. This is a documented feature that cannot be activated
accidentally, you should read about
Executing Shell Scripts in Mosaic
before activating this feature.
THAT IS ALL! If there are any other security problems that any of
you know of, PLEASE MAIL US!
If you post security concerns to the net, please be kind enough to be
specific. Vague alarmist postings just make more busy work for us.
Eric Bina (ebina@ncsa.uiuc.edu)