Netscape iPlanet iCal 'xhost -' Vulnerability
BID:1767
Info
Netscape iPlanet iCal 'xhost -' Vulnerability
| Bugtraq ID: | 1767 |
| Class: | Configuration Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Oct 10 2000 12:00AM |
| Updated: | Oct 10 2000 12:00AM |
| Credit: | This vulnerability was discovered by @stake, Inc. and posted to the Bugtraq mailing list on Mon, 9 Oct 2000. |
| Vulnerable: |
Netscape iCal 2.1 Patch2 |
| Not Vulnerable: | |
Discussion
Netscape iPlanet iCal 'xhost -' Vulnerability
Netscape's iPlanet iCal application is a network based calendar service built for deployment in organizations which require a centralized calendar system. Certain versions of iCal ship with
a vulnerability introduced in the installation process which effectively removes Xserver authentication on the machine which it is installed on.
When using the GUI for installation (the only documented option) the set up process issues an 'xhost - ' command which disables the Xserver's access control lists. This allows remote users to connect to the Xserver and hijack connections, monitor key strokes etc.
Netscape's iPlanet iCal application is a network based calendar service built for deployment in organizations which require a centralized calendar system. Certain versions of iCal ship with
a vulnerability introduced in the installation process which effectively removes Xserver authentication on the machine which it is installed on.
When using the GUI for installation (the only documented option) the set up process issues an 'xhost - ' command which disables the Xserver's access control lists. This allows remote users to connect to the Xserver and hijack connections, monitor key strokes etc.
Exploit / POC
Netscape iPlanet iCal 'xhost -' Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Netscape iPlanet iCal 'xhost -' Vulnerability
Solution:
It is suggested you launch the installation with the '-nodisplay' flag to avoid this problem for current versions of the software. The iPlanet Calendar Server 5.0 which is scheduled for future release (it is not yet released as of October 10, 2000) does not contain this vulnerability.
Solution:
It is suggested you launch the installation with the '-nodisplay' flag to avoid this problem for current versions of the software. The iPlanet Calendar Server 5.0 which is scheduled for future release (it is not yet released as of October 10, 2000) does not contain this vulnerability.
References
Netscape iPlanet iCal 'xhost -' Vulnerability
References:
References:
- @ Stake Homepage (@stake)
- Netscape Security (Netscape)