[12697] in bugtraq
Re: Pine: expanding env vars in URLs (seems to be fixed as of
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Tue Nov 23 13:51:01 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <19991122113146.4569.0@argo.troja.mff.cuni.cz>
Date: Mon, 22 Nov 1999 22:06:29 +0100
Reply-To: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
From: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.9911171818220.12375-100000@ray.compu-aid.com>
On Wed, 17 Nov 1999, Jim Hebert wrote:
> I reported the vulnerability below to the Pine team on Oct 21, when 4.20
> was current. 4.21 (which I just noticed on freshmeat) seems to fix the
> problem even though it's not mentioned in the release notes. Since it's
> not, I thought some disclosure was in order. I built 4.21 in the same way
> I built 4.20 (below).
An attempt was made to fix the vulnerability. An unsuccessful one.
The following line in pine/mailview.c controls whether the quoting is done
or not:
if(strpbrk(handle->h.url.path, "&*;<>?[|~$") != NULL){ /* specials? */
It is obvious something is wrong: they try to explicitly list all harmful
characters and we all know this is the "disaster pattern". It is left as
an exercise for the reader for find at least two characters not included
in the list that have special meaning for the shell. Special bonus for
finding a character that is not on the list and has the power to defeat
the effect of quoting (and I am not speaking about bash 1.x \377 bug,
btw. it chokes on ``echo "$(echo '1`2')"'' as well...another good reason
to get rid of it). If you need a hint, search the same function for the
following line:
sstrcpy(&cmdp, handle->h.url.path);
Yes, I know, providing patches or pointing out the mistakes clearly might
be more efficient but I hope Pine developers will get sick of their own
code having no choice but to analyze it and will rewrite it from the
scratch...and cleanly (for instance, they should use a single (reasonably
safe) substitution procedure for mailcap and urls).
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
