[9550] in bugtraq
Re: So-called "remote exploit in pine"
daemon@ATHENA.MIT.EDU (peak@KERBEROS.TROJA.MFF.CUNI.CZ)
Sat Feb 13 15:13:01 1999
Date: Fri, 12 Feb 1999 21:53:16 +0100
Reply-To: peak@KERBEROS.TROJA.MFF.CUNI.CZ
From: peak@KERBEROS.TROJA.MFF.CUNI.CZ
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.WNT.4.10.9902101801140.-197051@actius1.sttl.uswest.net>
On Wed, 10 Feb 1999, Pine Development Team wrote:
> While one could modify Pine to guard against the particular exploit
> permitted by the mailcap entries in question, it is very difficult to
> conceive of a truly safe "paranoid mode" other than disabling parameter
> substitution entirely. However, we suspect most people will find it far
> easier to remove any unsafe entries from their mailcap configuration file.
A truly safe "paranoid mode" would be to refuse to execute the command
if the substitution could lead to any undesired effects--i.e. if any of the
substituted values contains a suspicious character. This could break some
functionality (but in fact, strange characters should never appear
anywhere save from %{boundary}) but you can always show the command to the
user and ask him/her. Well, lusers would lose anyway...
Of course, a real solution would be to pass the information using a
channel that is not a subject of that much automagical interpretation as
the raw text of shell commands. Environment variables, perhaps? Anything
but the dangerous RFC-1524-Appendix-A(?) way.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"NSA GCHQ KGB CIA nuclear conspiration war weapon spy agent... Hi Echelon!"
