Debian (Ham) Linux with Communicator 4.05 and 4.51


    Graham Evans found following.  It is possible to mistakenly use  a
    browser (settings/passwords  etc.) that  is being  run on  another
    machine to the one  you expect.  How  to recreate?  Take  two unix
    boxes (A and B), on the console of A, run X and allow B to  access
    the screen  (using the  xhost command).  Telnet into  B and (after
    setting the  DISPLAY env)  run netscape.   You now  get a  copy of
    netscape running on b  (type "file:/etc/hostname" in the  location
    bar).   Open  a  new  xterm  on  A  and run netscape, a new window
    appears, but  it is  just another  instance of  B's program (again
    type  "file:/etc/hostname"  to  check).   Note  that  you  open up
    Pandora's box  with mentioned  above.   B can  sniff A's keyboard,
    "inject" keystrokes and mouse movements into the input stream  and
    spy on A's screen.  And probably do much more.  It all boils  down
    to "xhost is evil".  Anyway...

    You have two  computers that you  use, B has  a connection to  the
    internet and A holds personal  data.  You follow the  instructions
    above and  type file:/usr/me/stuff.txt,  you are  actually reading
    the file off B not A.   Also if you use this new window  to browse
    an intranet, all cookie/password/bookmarks will be stored and read
    from B, leaving B as a target.


    The "netscape" executable on Debian is likely a wrapper which does
    something like:

        real_netscape -remote "openURL(...)" || real_netscape ...

    Just get  rid of  the wrapper  if you  don't like  this behaviour.
    Netscape IS being called with the  -remote option, so yes it is  a
    "feature" rather than a "bug", although it seems odd that  -remote
    is  allowed  to  check  for  copies  of  itself running on another
    computer,  and  relies  completely  on  X  permissions (never very
    strong) to stop misuse.   It is even easier  than that; just  edit
    /etc/netscape4/config and change




    (you may need upercase to make it work).