[12649] in bugtraq
Pine: expanding env vars in URLs (seems to be fixed as of 4.21)
daemon@ATHENA.MIT.EDU (Jim Hebert)
Thu Nov 18 13:14:03 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9911171818220.12375-100000@ray.compu-aid.com>
Date: Wed, 17 Nov 1999 18:23:20 -0500
Reply-To: Jim Hebert <jhebert@JHEBERT.CX>
From: Jim Hebert <jhebert@JHEBERT.CX>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I reported the vulnerability below to the Pine team on Oct 21, when 4.20
was current. 4.21 (which I just noticed on freshmeat) seems to fix the
problem even though it's not mentioned in the release notes. Since it's
not, I thought some disclosure was in order. I built 4.21 in the same way
I built 4.20 (below).
Best,
Jim Hebert <jhebert@jhebert.cx>
- ---------- Forwarded message ----------
Date: Thu, 21 Oct 1999 03:40:27 -0400 (EDT)
From: Jim Hebert <jhebert@jhebert.cx>
To: pine@cac.washington.edu
Subject: Security: expanding env vars in URLs
1 line summary: environment vars are expanded in URLs I try to view
Versions tested: 4.10 and 4.20. 4.10 from "Red Hat" rpm and 4.20 built
from pristine sources to slx build target. Both seem equally affected.
Discussion:
A certain mailing I get occasionally recently had a url like
http://something/some/cgi$12345
I noticed viewing the url didn't seem to work right, and finally figured
out that the url must get near enough to a shell to allow environment
variable expansion.
A quick test for me was:
echo 'setenv WWW www.securityfocus.com' >> .tcshrc
source .tcshrc
pine
(view a link I mailed myself like: http://$WWW )
it works, I visit securityfocus
Doesn't sound dangerous/exploitable yet, right? Well, imagine your shell
is bash, someone sends you a html formatted mail, and the url is long:
"Click here for cool stuff!"
the url is very long, long enough that the dangerous part is elided when
pine asks the user to confirm they want to visit that page
the url ends with something like:
?trojan=$(shell command)
The user says "yeah, sure, visit that page" since they don't see the
dangerous part.
At the least least, people put your environment variables into their
webserver access logs. At most, people can get you to run shell commands
(bad enough by itself) _and_ have the output of them sent to them if they
wish.
I searched the bugtraq archives and didn't see anything about this. Sorry
if it's a known issue.
Thanks,
jim
jhebert@jhebert.cx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4Mzj9B1oRfeAiKDARAs7ZAJ9WpvdZ8aVLAl1N89dXl1mun1jFLQCeP8lq
2F6L+3uiYG63eOpgVv0ME5I=
=Zj4l
-----END PGP SIGNATURE-----
