Netscape iPlanet iCal 'xhost -' Vulnerability

Netscape's iPlanet iCal application is a network based calendar service built for deployment in organizations which require a centralized calendar system. Certain versions of iCal ship with
a vulnerability introduced in the installation process which effectively removes Xserver authentication on the machine which it is installed on.

When using the GUI for installation (the only documented option) the set up process issues an 'xhost - ' command which disables the Xserver's access control lists. This allows remote users to connect to the Xserver and hijack connections, monitor key strokes etc.


 

Privacy Statement
Copyright 2010, SecurityFocus