Bugtraq mailing list archives
Re: Pine 4.33 (at least) URL handler allows embedded commands.
From: zen-parse <zen-parse () gmx net>
Date: Mon, 7 Jan 2002 21:05:15 +1300 (NZDT)
On Sun, 6 Jan 2002, Michal Zalewski wrote:
On Sat, 5 Jan 2002, zen-parse wrote:Problem: URL handler allows embedded commands. May allow email viruses of the Outlook kind.http://address/'&/some/program${IFS}with${IFS}arguments&'Isn't that old news? http://www.securityfocus.com/bid/810 I *can* be wrong, but it looks like it is the same problem...
Not quite, but it seems to be a related problem (ie caused by the shell parsing what it was given). There is some checking for metacharacters done, and if it has any, it puts a single quote around them. However it doesn't check for another single quote. And then, on Sun, 6 Jan 2002, Michal Zalewski wrote:
Isn't that old news? http://www.securityfocus.com/bid/810 I *can* be wrong, but it looks like it is the same problem...Ah ok, it is not extactly the same... they "fixed" it... still, I'm pretty sure I've seen it (things like '`id`') later, in 2000 or 2001 on BUGTRAQ...
What might work as a solution could be changing all "'"s into "'\''"s as it does in another part of the code. Or maybe use a popen that doesn't call a shell. Could've been the X-Chat thing you saw, but I wouldn't be too surprised if there were more things like that in various clients that come with URL handlers. -- zen-parse -- ------------------------------------------------------------------------- The preceding information is confidential and may not be redistributed without explicit permission. Legal action may be taken to enforce this. If this message was posted by zen-parse () gmx net to a public forum it may be redistributed as long as these conditions remain attached. If you are mum or dad, this probably doesn't apply to you.
Current thread:
- Pine 4.33 (at least) URL handler allows embedded commands. zen-parse (Jan 05)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. Michal Zalewski (Jan 07)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. zen-parse (Jan 08)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. Roman Drahtmueller (Jan 08)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. Michal Zalewski (Jan 07)