>> [...] >> In short: Netscape can be remote controlled by all users who have access to >> someone's X Server. >> >> > and if the browsing user has an open X display anyone can then log into >> > their account. Obviously this would be worse if root was running >> > Netscape. This could also be used to have an idle netscape visit various >> > pages of dubious virtue and bookmark them all, then the prankster can >> > stop by the victim and have a laugh at their expense... >> >> I don't see this as a security problem. If you have access to someone's X >> server, that someone's security can easily be compromised. It is possible to >> log all keys typed, generate fake keyboard and mouse input, close windows or >> just plain quit the X server. Still, there is a significant gap between sniffing/denial of service and executing shell commands. From what I've seen, security-conscious X clients (such as xterm) have traditionally made sure they ignored syntetic keyboard events, and didn't provide any kind of shell-capable remote X interface. Although un-secured X servers are very much a bad idea, I consider it a security hole when an X client can be tricked into executing arbitrary commands via X. Netscape is a major offender with a documented, easy to use "remote" interface, but there are others. GNU Emacs (not XEmacs) will happily take syntetic (fake) events. Note that most versions of Netscape are broken in other ways too; JavaScript code can send email behind your back by filling a hidden form with action a "mailto:" and then form.submit()ting it, and several bugs have been found in Java's bytecode verifier (see the paper at http://www.cs.princeton.edu/sip/pub/secure96.htm). -Roger -- e-mail: roger.espel.llima@ens.fr WWW & PGP key: http://eleves.ens.fr:8080/home/espel/index.htm