Re: was: SA29489 CenterIM URL handling flaw

[Nico Golde <oss-security+ml () ngolde de>]

Hi Steven,
* Steven M. Christey <coley () linus mitre org> [2008-03-28 00:01]:
> On Tue, 25 Mar 2008, Nico Golde wrote:
> > * Nico Golde <oss-security+ml () ngolde de> [2008-03-25 16:25]:
> > > * Lubomir Kundrak <lkundrak () redhat com> [2008-03-24 15:08]:
[...] 
> > > That's partly true. While centerim has no special URL
> > > handler to handle incoming urls it does provide the ability
> > > to list urls in a message by pressing F2. If you press enter
> > > on one of these urls it tries to open it in an external
> > > browser and executes the other commands as well.
>
> This is the kind of situation that CVE adopted the "user-assisted" term
> for: the user assists the attacker in his/her own demise.

makes sense.

> > > You see the commands in the URL however so I think the
> > > impact of this is like sending someone a message with
> > > "please type rm -rf ~ in your shell" so the secunia rating
> > > is a bit beyond the actual impact.
>
> Is the URL still encoded at the time it is viewed?  if so, then I don't
> expect a typical user to notice this equivalent of "rm -rf *":
>
>   %72%6D%20%2D%72%66%20%2A
>
> and that's part of the "smell test" for user-assisted issues.

Nope it won't be encoded. Otherwise I would agree that a 
decoding hex is too much for a user :)

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: