Bugtraq mailing list archives

Re: Pine 4.33 (at least) URL handler allows embedded commands.

From: Roman Drahtmueller <draht () suse de>
Date: Mon, 7 Jan 2002 14:01:05 +0100 (MET)

Problem:            URL handler allows embedded commands.
                    May allow email viruses of the Outlook kind.

  http://address/'&/some/program${IFS}with${IFS}arguments&&apos;


Isn't that old news? http://www.securityfocus.com/bid/810

I *can* be wrong, but it looks like it is the same problem...


SuSE pine packages contain a patch that makes pine use environment
variables to pass on the URL to the viewer. The patch is attached - I'm
not sure who made it, but it looks like from Olaf Kirch.

Roman.
-- 
 -                                                                      -
| Roman Drahtmüller      <draht () suse de> // "You don't need eyes to see, |
  SuSE GmbH - Security           Phone: //             you need vision!"
| Nürnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -

Attachment: pine-4.33-security.patch
Description:

Current thread:

Pine 4.33 (at least) URL handler allows embedded commands. zen-parse (Jan 05)
- Re: Pine 4.33 (at least) URL handler allows embedded commands. Michal Zalewski (Jan 07)
  - Re: Pine 4.33 (at least) URL handler allows embedded commands. zen-parse (Jan 08)
  - Re: Pine 4.33 (at least) URL handler allows embedded commands. Roman Drahtmueller (Jan 08)