Executing Shell Scripts Inside Mosaic

A frequent request of Mosaic users is to have hyperlinks cause local -- client-side -- processes (i.e., shell scripts, which may call other programs) to be executed.

One scenario where this would be useful is in a local client/server environment, where Mosaic is used as a front end to a number of other applications -- a document could explain what various applications do, and hyperlinks would cause the applications to be launched on the local machine.

As of Mosaic 2.0 prerelease 4, this is now possible. This opens up a number of questions and security concerns, and this document attempts to address both.

OK, How's It Work?

Consider what happens if the following takes place:

Obviously, csh -f will be used as the "viewer" for the document, which means the shell script -- whatever it happens to contain -- will be executed on the client's host.

As an example, if you have the above mailcap entry in place, the following hyperlink will start up /usr/bin/X11/xclock on your host. If you do not have a direct Internet connection, the following hyperlink will have to be edited to point to your local HTTP server.

.

Security Implications

Since Mosaic is not shipped with support for application/x-csh or anything similar in the default settings, this is not a security hole unless you specifically modify your config files to make it so.

However, as soon as you add the entry for application/x-csh as above to your user or system mailcap, you have a security hole. A malicious information provider (anyone running a server) could construct a dangerous shell script referenced by an innocuous hyperlink in one of his/her documents, and you could click on it and cause it to be fired off on your system without realizing what's going on.

Dealing With the Security Implications

Comments or Questions?

Mail mosaic-x@ncsa.uiuc.edu.