I've been looking at Mosaic today too. Hard to track down all the
system calls and how you would get to them. As Marcus notes, some
should be easy to remove.
Has anyone looked at Lynx? Looks almost as bad wrt system calls. In
some ways it's worse since it has some hooks for running scripts.
On Mar 30, 4:25pm, Marcus J Ranum wrote:
> Subject: Mosiac --
>
> I did some experimenting with xmosiac today on one of my
> machines, running it under a trace to see if it does anything
> obviously bad. It didn't look like it was doing anything immediately
> and clearly unpleasant, but a perusal of the source code makes
> me pretty uncomfortable.
>
> + There is widespread use of system() to invoke the shell
Most of the needed ones appear to be related to mime types and invoking
the mime viewer. No reason they can't be rewritten to be safer.
> + There is little or no checking to control spoofing system()
As witnessed by the previous note regarding telnet. It does behave as
mentioned in an earlier message.
> + There are lots of bits in the code that indicate an unsettling
> lack of awareness of how UNIX works
There are a bunch of systems for rm's and mv's! Why is a good question.
> I ran xmosaic for a while under "trace" and saved the output
> to a file and grepped it for cases of open() and exec() and so forth.
> It seemed to be doing all its I/O to reasonably-named files in /usr/tmp
> and wasn't system()ing stuff. Presumably I didn't hit the right code
> paths to make it system() stuff. There are *LOTS* of invocations of
> system().
Find some mime documents that require some other viewer. That's my best guess.
Unless you have a .mailcap, get something with image types that require xv.
>
> > {
> > /* For rlogin, we should use -l user. */
> > sprintf(command, "%s -e %s %s %s %s %s &", xterm_str, access,
> > hostname,
> > port ? port : "",
> > user ? "-l" : "",
> > user ? user : "");
> > }
> > else
> > {
> > /* For telnet, -l isn't safe to use at all -- most platforms
> > don't understand it. */
> > sprintf(command, "%s -e %s %s %s &", xterm_str, access,
> > hostname,
> > port ? port : "");
> > }
> > system(command);
This is a real problem. Need to parse the hostname string to only allow
a valid hostname and no extra shell commands. Drop all characters after
first character that is not valid name. (a-zA-Z0-9.-_) Make sure port is a
number.
>-- End of excerpt from Marcus J Ranum
Would also be nice to have an option to syslog all the URL's being requested.
Doesn't provide any protection, but if there are some unknown holes, at least
you might have some idea where to look for the problem.
|
|
