> > Problem: URL handler allows embedded commands. > > May allow email viruses of the Outlook kind. > > > http://address/'&/some/program${IFS}with${IFS}arguments&' > > Isn't that old news? http://www.securityfocus.com/bid/810 > > I *can* be wrong, but it looks like it is the same problem... SuSE pine packages contain a patch that makes pine use environment variables to pass on the URL to the viewer. The patch is attached - I'm not sure who made it, but it looks like from Olaf Kirch. Roman. -- - - | Roman Drahtmüller <drahtat_private> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 08:05:24 PST