Re: Pine 4.33 (at least) URL handler allows embedded commands.

[zen-parse <zen-parse@xxxxxxx>]

On Sun, 6 Jan 2002, Michal Zalewski wrote:

> On Sat, 5 Jan 2002, zen-parse wrote:
> 
> > Problem:		URL handler allows embedded commands.
> > 			May allow email viruses of the Outlook kind.
> 
> >   http://address/'&/some/program${IFS}with${IFS}arguments&'
> 
> Isn't that old news? http://www.securityfocus.com/bid/810
> 
> I *can* be wrong, but it looks like it is the same problem...

Not quite, but it seems to be a related problem (ie caused by the shell 
parsing what it was given).

There is some checking for metacharacters done, and if it has any, it puts 
a single quote around them. However it doesn't check for another single 
quote.

And then, on Sun, 6 Jan 2002, Michal Zalewski wrote:

> > Isn't that old news? http://www.securityfocus.com/bid/810 I *can* be
> > wrong, but it looks like it is the same problem...
> 
> Ah ok, it is not extactly the same... they "fixed" it... still, I'm pretty
> sure I've seen it (things like '`id`') later, in 2000 or 2001 on
> BUGTRAQ...

What might work as a solution could be changing all "'"s into "'\''"s as
it does in another part of the code.

Or maybe use a popen that doesn't call a shell. 

Could've been the X-Chat thing you saw, but I wouldn't be too surprised if 
there were more things like that in various clients that come with URL 
handlers.

-- zen-parse

-- 
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.  
If this message was posted by zen-parse@xxxxxxx to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.