Bugtraq mailing list archives
Re: Pine 4.33 (at least) URL handler allows embedded commands.
From: Roman Drahtmueller <draht () suse de>
Date: Mon, 7 Jan 2002 14:01:05 +0100 (MET)
Problem: URL handler allows embedded commands. May allow email viruses of the Outlook kind.http://address/'&/some/program${IFS}with${IFS}arguments&'Isn't that old news? http://www.securityfocus.com/bid/810 I *can* be wrong, but it looks like it is the same problem...
SuSE pine packages contain a patch that makes pine use environment variables to pass on the URL to the viewer. The patch is attached - I'm not sure who made it, but it looks like from Olaf Kirch. Roman. -- - - | Roman Drahtmüller <draht () suse de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
Attachment:
pine-4.33-security.patch
Description:
Current thread:
- Pine 4.33 (at least) URL handler allows embedded commands. zen-parse (Jan 05)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. Michal Zalewski (Jan 07)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. zen-parse (Jan 08)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. Roman Drahtmueller (Jan 08)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. Michal Zalewski (Jan 07)