On Sun, 6 Jan 2002, Michal Zalewski wrote: > On Sat, 5 Jan 2002, zen-parse wrote: > > > Problem: URL handler allows embedded commands. > > May allow email viruses of the Outlook kind. > > > http://address/'&/some/program${IFS}with${IFS}arguments&' > > Isn't that old news? http://www.securityfocus.com/bid/810 > > I *can* be wrong, but it looks like it is the same problem... Not quite, but it seems to be a related problem (ie caused by the shell parsing what it was given). There is some checking for metacharacters done, and if it has any, it puts a single quote around them. However it doesn't check for another single quote. And then, on Sun, 6 Jan 2002, Michal Zalewski wrote: > > Isn't that old news? http://www.securityfocus.com/bid/810 I *can* be > > wrong, but it looks like it is the same problem... > > Ah ok, it is not extactly the same... they "fixed" it... still, I'm pretty > sure I've seen it (things like '`id`') later, in 2000 or 2001 on > BUGTRAQ... What might work as a solution could be changing all "'"s into "'\''"s as it does in another part of the code. Or maybe use a popen that doesn't call a shell. Could've been the X-Chat thing you saw, but I wouldn't be too surprised if there were more things like that in various clients that come with URL handlers. -- zen-parse -- ------------------------------------------------------------------------- The preceding information is confidential and may not be redistributed without explicit permission. Legal action may be taken to enforce this. If this message was posted by zen-parse@gmx.net to a public forum it may be redistributed as long as these conditions remain attached. If you are mum or dad, this probably doesn't apply to you.
