Re: Pine 4.33 (at least) URL handler allows embedded commands.
From: Roman Drahtmueller (draht@suse.de)Date: 01/07/02
- Previous message: zen-parse: "Re: Pine 4.33 (at least) URL handler allows embedded commands."
- In reply to: Michal Zalewski: "Re: Pine 4.33 (at least) URL handler allows embedded commands."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Jan 2002 14:01:05 +0100 (MET) From: Roman Drahtmueller <draht@suse.de> To: bugtraq@securityfocus.com
> > Problem: URL handler allows embedded commands.
> > May allow email viruses of the Outlook kind.
>
> > http://address/'&/some/program${IFS}with${IFS}arguments&'
>
> Isn't that old news? http://www.securityfocus.com/bid/810
>
> I *can* be wrong, but it looks like it is the same problem...
SuSE pine packages contain a patch that makes pine use environment
variables to pass on the URL to the viewer. The patch is attached - I'm
not sure who made it, but it looks like from Olaf Kirch.
Roman.
-- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
- TEXT/PLAIN attachment: pine-4.33-security.patch
- Previous message: zen-parse: "Re: Pine 4.33 (at least) URL handler allows embedded commands."
- In reply to: Michal Zalewski: "Re: Pine 4.33 (at least) URL handler allows embedded commands."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
