[2615] in bugtraq
Re: Is _your_ Netscape under remote control
daemon@ATHENA.MIT.EDU (Phillip Wherry)
Fri May 24 20:14:22 1996
Date: Fri, 24 May 1996 18:01:42 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Phillip Wherry <psw@wherry.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.LNX.3.93.960524150737.30715B-100000@whitman.gmu.edu>
A couple of messages have appeared on the Bugtraq mailing list concerning
the use of X to control a Netscape client. I think there's a fundamental
point being missed here: control of the Netscape client is done through X
properties and thereby REQUIRES that one already have control of the X
server.
The situation described (Web server manipulates a Netscape instance
remotely) isn't possible unless the server ALREADY has unfettered access
to the X server; even if this were true, the attack would be conducted via
the X mechanisms and not HTTP. The server-side include example cited
wouldn't work, since the program would be executed on the Web server end,
not the client (running the X server).
Phil
--
Phil Wherry - psw@wherry.com
Phone: +1 703 242-2618; fax +1 703 242-1167
