Fwd: Using xdg-open in /etc/mailcap causes hole in Firefox (Demonstration/Exploit included)

[Josh Bressers <bressers () redhat com>]

Here's a heads up for everyone (I've CCd the discoverer)

Steve, can you assign a CVE id.

Thanks.

----- Forwarded Message -----

Hello,

as I've seen, you also seem to use xdg-open in /etc/mailcap.

The problem is, that xdg-open, itself, detects the right mime-type. This allowes an attacker to deliver a dangerous 
file with a trustworthy mime-type to get it executed by xdg-open.

I've created an example page:
https://prefbar.mozdev.org/testxdgopen.html (With SSL)
http://prefbar.mozdev.org/testxdgopen.html (Without SSL)

This page delivers a .desktop file with the mime-type "application/pdf". In default configuration, Firefox offers to 
open this file with the default application, which is xdg-open. Just one click on "OK" (and most users won't have a 
closer look at the dialog!) and the content in the .desktop file is immediately executed!

Other combinations are possible, I just got the first result with .desktop files. There may be other dangerous types, 
Firefox may be tricked to open with xdg-open. It's even possible to hide the real file type.

See also:
https://bugs.freedesktop.org/show_bug.cgi?id=19377
Problem: Their security bugs are open to the public :-( Fast reaction would be required :-(

Yours

Manuel Reimer
-- 
()  ascii ribbon campaign - against html mail
/\                        - gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!

Sensationsangebot verlängert: GMX FreeDSL - Telefonanschluss + DSL 
für nur 16,37 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K1308T4569a