[10644] in bugtraq
Possible Netscape/Unix (Debian) problem
daemon@ATHENA.MIT.EDU (Graham Evans)
Wed May 26 14:52:52 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <374B410C.FA3738CA@bespoke-continental.co.uk>
Date: Wed, 26 May 1999 00:32:12 +0000
Reply-To: Graham Evans <gevans@BESPOKE-CONTINENTAL.CO.UK>
From: Graham Evans <gevans@BESPOKE-CONTINENTAL.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
I submitted this to Bugtraq a while ago, Aleph One queried it and it has
taken me some time to recheck it. So apologies for not re-submitting
this earlier.
Problem:-
It is possible to mistakenly use a browser (settings/passwords etc.)
that is being run on another machine to the one you expect.
How to recreate:-
Take two unix boxes (A and B), on the console of A, run X and allow B to
access the screen (using the xhost command). Telnet into B and (after
setting the DISPLAY env) run netscape.
You now get a copy of netscape running on b (type "file:/etc/hostname"
in the location bar)
Open a new xterm on A and run netscape, a new window appears, but it is
just another instance of B's program (again type "file:/etc/hostname" to
check).
Why this might be a risk:-
You have two computers that you use, B has a connection to the internet
and A holds personal data. You follow the instructions above and type
file:/usr/me/stuff.txt, you are actually reading the file off B not A.
Also if you use this new window to browse an intranet, all
cookie/password/bookmarks will be stored and read from B, leaving B as a
target.
Vulnerable Systems
I've checked this on two Debian (Ham) boxes running communicator 4.05
and 4.51. The problem does not (according to Aleph) appear with Red Hat
(which is why I suspect it may be a Debian specific problem).
Graham
--
-------------------------------------------------------------------------------
Graham Evans Tel +44 (0) 1424 211002
Internet Consultant Fax +44 (0) 1424 217107
Bespoke Continental gevans@bespoke-continental.co.uk
