COMMAND
Netscape
SYSTEMS AFFECTED
Debian (Ham) Linux with Communicator 4.05 and 4.51
PROBLEM
Graham Evans found following. It is possible to mistakenly use a
browser (settings/passwords etc.) that is being run on another
machine to the one you expect. How to recreate? Take two unix
boxes (A and B), on the console of A, run X and allow B to access
the screen (using the xhost command). Telnet into B and (after
setting the DISPLAY env) run netscape. You now get a copy of
netscape running on b (type "file:/etc/hostname" in the location
bar). Open a new xterm on A and run netscape, a new window
appears, but it is just another instance of B's program (again
type "file:/etc/hostname" to check). Note that you open up
Pandora's box with mentioned above. B can sniff A's keyboard,
"inject" keystrokes and mouse movements into the input stream and
spy on A's screen. And probably do much more. It all boils down
to "xhost is evil". Anyway...
You have two computers that you use, B has a connection to the
internet and A holds personal data. You follow the instructions
above and type file:/usr/me/stuff.txt, you are actually reading
the file off B not A. Also if you use this new window to browse
an intranet, all cookie/password/bookmarks will be stored and read
from B, leaving B as a target.
SOLUTION
The "netscape" executable on Debian is likely a wrapper which does
something like:
real_netscape -remote "openURL(...)" || real_netscape ...
Just get rid of the wrapper if you don't like this behaviour.
Netscape IS being called with the -remote option, so yes it is a
"feature" rather than a "bug", although it seems odd that -remote
is allowed to check for copies of itself running on another
computer, and relies completely on X permissions (never very
strong) to stop misuse. It is even easier than that; just edit
/etc/netscape4/config and change
use_ns_remote=yes
to
use_ns_remote=no
(you may need upercase to make it work).