Note: This problem only affects the X Window System versions of NCSA Mosaic. The Mac and MS Windows versions are not affected by this problem!
This problem could result in the Mosaic client arbitrarily executing any UNIX command when the user clicked on a link to telnet, tn3270, or rlogin URL. This could happen because the official form of the string passed to this kind of URL was user@machine:password, and the machine string was just being passed on to the UNIX system() command. By passing strings such as
machine; unix_commandThe command after the ';' was being executed with all the permissions of the Mosaic user.
As of Mosaic 2.3 this problem has been fixed. The fix is made up of two changes as outlined below.