[16417] in bugtraq
Re: MDKSA-2000:039 - xchat update
daemon@ATHENA.MIT.EDU (Decklin Foster)
Mon Aug 28 12:47:52 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20000826033358.B12391@photek.dhs.org>
Date: Sat, 26 Aug 2000 03:33:58 -0400
Reply-To: Decklin Foster <decklin@RED-BEAN.COM>
From: Decklin Foster <decklin@RED-BEAN.COM>
X-To: Joey Hess <joey@kitenet.net>, Signal 11 <signal11@MEDIAONE.NET>,
69982@bugs.debian.org, security@debian.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000825202204.A2770@kitenet.net>; from joey@kitenet.net on Fri,
Aug 25, 2000 at 08:22:05PM -0700
Joey Hess writes:
> Actually it is. The "netscape (existing)" and "netscape (new window)"
> menu entries are safe,
Actually they're vulnerable too.
http://drugs.org/just/say/'`yes`'
The rule just puts openURL(%s) in single quotes, which can easily be
broken out of as in the above pseudo-URL.
I'm arguing for the use of execvp instead on the xchat mailing list,
we'll see how this goes. It's 3:30 AM and I won't be able to write any
code for it until tomorrow.
--
There is no TRUTH. There is no REALITY. There is no CONSISTENCY. There
are no ABSOLUTE STATEMENTS. I'm very probably wrong. -- BSD fortune(6)
