[30676] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: xpdf vulnerability - CAN-2003-0434

daemon@ATHENA.MIT.EDU (stanislav shalunov)
Wed Jul 9 16:07:32 2003

To: Andries.Brouwer@cwi.nl
From: stanislav shalunov <shalunov@internet2.edu>
Date: 09 Jul 2003 15:46:18 -0400
In-Reply-To: <UTC200307091654.h69GsSj29545.aeb@smtp.cwi.nl>
Message-ID: <87vfubeb5h.fsf@cain.internet2.edu>

Andries.Brouwer@cwi.nl writes:

> A urlCommand like the default "netscape -remote 'openURL(%s)'"
> is OK since the %s is protected by single quotes.

How so?  Consider an argument of
	'`rm -rf /tmp/test`'
This expands to
	netscape -remote 'openURL('`rm -rf /tmp/test`')'
where the single quotes have no effect.

A proper fix would be not to invoke shell at all, but simply fork and
exec.

-- 
Stanislav Shalunov		http://www.internet2.edu/~shalunov/

"The power of accurate observation is commonly called cynicism by
those who have not got it."			-- G. B. Shaw


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[30676] in bugtraq

Re: xpdf vulnerability - CAN-2003-0434

daemon@ATHENA.MIT.EDU (stanislav shalunov)Wed Jul 9 16:07:32 2003

daemon@ATHENA.MIT.EDU (stanislav shalunov)
Wed Jul 9 16:07:32 2003