[23747] in bugtraq
Re: Pine 4.33 (at least) URL handler allows embedded commands.
daemon@ATHENA.MIT.EDU (zen-parse)
Tue Jan 8 10:55:40 2002
Date: Mon, 7 Jan 2002 21:05:15 +1300 (NZDT)
From: zen-parse <zen-parse@gmx.net>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <Pine.LNX.4.42.0201061733250.3881-100000@nimue.bos.bindview.com>
Message-ID: <Pine.LNX.4.33.0201072017180.2834-100000@clarity.local>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Sun, 6 Jan 2002, Michal Zalewski wrote:
> On Sat, 5 Jan 2002, zen-parse wrote:
>
> > Problem: URL handler allows embedded commands.
> > May allow email viruses of the Outlook kind.
>
> > http://address/'&/some/program${IFS}with${IFS}arguments&'
>
> Isn't that old news? http://www.securityfocus.com/bid/810
>
> I *can* be wrong, but it looks like it is the same problem...
Not quite, but it seems to be a related problem (ie caused by the shell
parsing what it was given).
There is some checking for metacharacters done, and if it has any, it puts
a single quote around them. However it doesn't check for another single
quote.
And then, on Sun, 6 Jan 2002, Michal Zalewski wrote:
> > Isn't that old news? http://www.securityfocus.com/bid/810 I *can* be
> > wrong, but it looks like it is the same problem...
>
> Ah ok, it is not extactly the same... they "fixed" it... still, I'm pretty
> sure I've seen it (things like '`id`') later, in 2000 or 2001 on
> BUGTRAQ...
What might work as a solution could be changing all "'"s into "'\''"s as
it does in another part of the code.
Or maybe use a popen that doesn't call a shell.
Could've been the X-Chat thing you saw, but I wouldn't be too surprised if
there were more things like that in various clients that come with URL
handlers.
-- zen-parse
--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parse@gmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
