Re: Pine 4.33 (at least) URL handler allows embedded commands.

• Previous message: rolphin: "CrossSiteScripting PostNuke."
• In reply to: zen-parse: "Pine 4.33 (at least) URL handler allows embedded commands."
• Next in thread: zen-parse: "Re: Pine 4.33 (at least) URL handler allows embedded commands."
• Reply: zen-parse: "Re: Pine 4.33 (at least) URL handler allows embedded commands."
• Reply: Roman Drahtmueller: "Re: Pine 4.33 (at least) URL handler allows embedded commands."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 5 Jan 2002, zen-parse wrote:

> Problem:		URL handler allows embedded commands.
> 			May allow email viruses of the Outlook kind.

>   http://address/'&/some/program${IFS}with${IFS}arguments&'

Isn't that old news? http://www.securityfocus.com/bid/810

I *can* be wrong, but it looks like it is the same problem...

-- 
_____________________________________________________
Michal Zalewski [lcamtufat_private] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/

• Next message: Tozz: "Denial of Service flaw in Apache"
• Previous message: rolphin: "CrossSiteScripting PostNuke."
• In reply to: zen-parse: "Pine 4.33 (at least) URL handler allows embedded commands."
• Next in thread: zen-parse: "Re: Pine 4.33 (at least) URL handler allows embedded commands."
• Reply: zen-parse: "Re: Pine 4.33 (at least) URL handler allows embedded commands."
• Reply: Roman Drahtmueller: "Re: Pine 4.33 (at least) URL handler allows embedded commands."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jan 06 2002 - 23:21:43 PST