Bugtraq mailing list archives
Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
From: "KJK::Hyperion" <hackbunny () s0ftpj org>
Date: Mon, 08 Oct 2007 02:45:24 +0200
Glynn Clements ha scritto:
Modifying individual programs to protect against a shell-injection bug in Windows' URI handler is a workaround (mitigation strategy), not a fix.
I repeat. Nowhere is said that ShellExecute (the default "run stuff" function) takes URLs. It takes strings. A desktop shortcut called "www.google.com" can hijack execution of "www.google.com" (without a "http://" prefix), and many other similar issues. If you pass a path to it, it damn better had to be an absolute path. If you pass an URL, it damn better had to be normalized. If your application handles documents that can include URLs, you *must* implement normalization, goddamn it (stop pasting strings together, fuckers, the sorry state of security is entirely your goddamn fault! Skype.exe is 22 MB, surely there is room in there for a normalization routine) This is an issue of ambiguous strings that could be URLs or could be not. It does suck that older applications will remain vulnerable until a fix (if you want to lobby, lobby right. Work that angle), but I still maintain that, in principle, this is the fault of sloppy third party developers
Current thread:
- URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Juergen Schmidt (Oct 05)
- RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Roger A. Grimes (Oct 05)
- Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 06)
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Geo. (Oct 06)
- Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Thierry Zoller (Oct 06)
- Re: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Kurt Dillard (Oct 06)
- Re: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Glynn Clements (Oct 09)
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Geo. (Oct 09)
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype KJK::Hyperion (Oct 09)
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype KJK::Hyperion (Oct 09)
- Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 11)
- Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 06)
- RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Roger A. Grimes (Oct 05)
- Re[3]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype 3APA3A (Oct 09)
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Geo. (Oct 09)
- Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 09)
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Geo. (Oct 09)
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Valdis . Kletnieks (Oct 09)
- Message not available
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype gjgowey (Oct 09)
- Message not available
- Fwd: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype merigoth (Oct 11)
- Message not available
- Third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) available KJK::Hyperion (Oct 15)
- Re: Third-party patch for CVE-2007-3896, UPDATE NOW KJK::Hyperion (Oct 17)