Re: SECURITY ALERT! [Re: How do you execute shell scripts in Mosaic]

Pete <P.D.Mallinson@liverpool.ac.uk>
Errors-To: listmaster@www0.cern.ch
Date: Tue, 7 Jun 1994 12:00:12 +0200
Errors-To: listmaster@www0.cern.ch
Message-id: <199406070956.KAA17624@chad3-14.liv.ac.uk>
Errors-To: listmaster@www0.cern.ch
Reply-To: P.D.Mallinson@liverpool.ac.uk
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: Pete <P.D.Mallinson@liverpool.ac.uk>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Re: SECURITY ALERT! [Re: How do you execute shell scripts in Mosaic]
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Type: text/plain; charset=US-ASCII
Content-Type: text/plain; charset=US-ASCII
Mime-Version: 1.0
Mime-Version: 1.0
X-Mailer: ELM [version 2.4 PL23]
X-Mailer: ELM [version 2.4 PL23]
> 
> Simon,
> 
> Are you asking about how to execute a script on the client side that
> comes in from an arbitrary hypertext link?  If so, there's a potential
> security issue.  There's essentially no limit on what damage the
> script can do.

Yep - what I am trying to do is execute a script that compares the
script that you have asked to be executed with a set of scripts stored
in a directory that only I have write access to - if the script to be
executed is the same as one in my directory then the script gets
executed, otherwise the user get a message/window displaying the 
first page of the script and gets asked if they really want to execute
the script (the default being NO).

I'm sure there are all sorts of security holes with this strategy that
I haven't thought about - which I hope you will now tell me about !

> 
> > 	Has anyone managed to execute a shell script from a hypertext
> > link in a html style document within mosaic. I understand it is
> > possible, from the notes I have seen on this matter I have changed the
> > following files:
> > 
> > 	added the following to the .mailcap file
> > application/x-csh; csh -f %s
> > 
> > 	the following is included in the mime.types file
> > application/x-csh	csh
> > 

That's effectively what I did - and it worked (with Mosaic and Lynx)
(I have used .mailcap and .mime.types in my $HOME directory and
mailcap and mime.types in /usr/local/lib/mosaic)

Pete