oss-sec mailing list archives
Fwd: Using xdg-open in /etc/mailcap causes hole in Firefox (Demonstration/Exploit included)
From: Josh Bressers <bressers () redhat com>
Date: Tue, 6 Jan 2009 14:46:46 -0500 (EST)
Here's a heads up for everyone (I've CCd the discoverer) Steve, can you assign a CVE id. Thanks. ----- Forwarded Message ----- Hello, as I've seen, you also seem to use xdg-open in /etc/mailcap. The problem is, that xdg-open, itself, detects the right mime-type. This allowes an attacker to deliver a dangerous file with a trustworthy mime-type to get it executed by xdg-open. I've created an example page: https://prefbar.mozdev.org/testxdgopen.html (With SSL) http://prefbar.mozdev.org/testxdgopen.html (Without SSL) This page delivers a .desktop file with the mime-type "application/pdf". In default configuration, Firefox offers to open this file with the default application, which is xdg-open. Just one click on "OK" (and most users won't have a closer look at the dialog!) and the content in the .desktop file is immediately executed! Other combinations are possible, I just got the first result with .desktop files. There may be other dangerous types, Firefox may be tricked to open with xdg-open. It's even possible to hide the real file type. See also: https://bugs.freedesktop.org/show_bug.cgi?id=19377 Problem: Their security bugs are open to the public :-( Fast reaction would be required :-( Yours Manuel Reimer -- () ascii ribbon campaign - against html mail /\ - gegen HTML-Mail answers as html mail will be deleted automatically! Antworten als HTML-Mail werden automatisch gelöscht! Sensationsangebot verlängert: GMX FreeDSL - Telefonanschluss + DSL für nur 16,37 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K1308T4569a
Current thread:
- Fwd: Using xdg-open in /etc/mailcap causes hole in Firefox (Demonstration/Exploit included) Josh Bressers (Jan 06)
- Re: Fwd: Using xdg-open in /etc/mailcap causes hole in Firefox (Demonstration/Exploit included) Bernhard R. Link (Jan 07)
- Re: Fwd: Using xdg-open in /etc/mailcap causes hole in Firefox (Demonstration/Exploit included) Steven M. Christey (Jan 07)