how to make your own security hole, or, shell script execution in Mosaic 2.0pre4

marca@ncsa.uiuc.edu (Marc Andreessen)

Mail folder: WWW Talk Jul-Oct 1993
Next message: Marc Andreessen: "Re: Crawling info displays and slide shows "
Previous message: Tony Sanders: "Re: Crawling info displays and slide shows "

Date: Wed, 29 Sep 93 17:04:53 -0500
From: marca@ncsa.uiuc.edu (Marc Andreessen)
Message-id: <9309292204.AA19453@wintermute.ncsa.uiuc.edu>
To: www-talk@nxoc01.cern.ch
Cc: mosaicdev@ncsa.uiuc.edu
Subject: how to make your own security hole, or, shell script
  execution in Mosaic 2.0pre4
X-Md4-Signature: 0eb2e5cafa29a1bac39b348813a2fb83

Mosaic 2.0pre4, by virtue of the new config file support, has the new
capability to execute arbitrary shell scripts on the client machine as
directed by a remote server IF AND ONLY IF the following happens:

  (1) An entry is placed in the system or user mailcap that looks
      something like this:

        application/x-csh; csh -f %s

  (2) The client then accesses a document on a remote server that is
      typed 'application/x-csh' (or whatever, as above).

Mosaic does NOT ship with "application/x-csh; csh -f %s" or anything
similar in effect by default; this is therefore not an inherent
security hole in Mosaic.

Putting such an entry in your mailcap will obviously open a huge
security hole if you then use Mosaic to access documents over the
network and someone decides to be malicious.  

HOWEVER, this does offer a huge new piece of functionality that many
people have requested for using Mosaic in a local client/server
environment to launch arbitrary applications.  (Sandia people, are you
out there?  :-)

One cheap and dirty workaround for the security problem is to make up
a bogus MIME type that no one else knows about and use that (on both
client and server ends) as a replacement for 'application/x-csh'.
This is obviously not really secure, and will only prevent your client
from executing arbitrary shell scripts called 'application/x-csh' on
remote servers -- if someone takes a close look at your server,
however, they will be able to discover the type you are using and
therefore construct a custom-made bomb to destroy your entire
installation.  So be careful...

(One more note: the best way to exploit this capability is to use a
HTTP/1.0 server, like NCSA httpd 1.0a1, which does server-side typing.
You could also set up an extension map entry like 'application/x-csh
csh' in the client to allow the client to execute csh scripts off of
FTP servers, etc.).

(Yet one more note, while I'm at it: one way to improve this whole
thing very easily would be to write a simple GUI tool that takes a
filename as an argument, displays the file text to the user, asks "Do
you want to execute this?", and if the user says "Yes" then fork off
csh.  Then use that GUI tool as the 'application/x-csh' viewer.  We
may write such a tool, if we find the time.)

Cheers,
Marc