• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Pine Environment Variable Expansion in URLS Vulnerability

When pine handles email formatted with or containing HTML, urls which contain shell variables defined on the local machine where the client is running are expanded when followed. This can cause many security problems, ranging from sending expanded variables to webservers in the form of cgi parameters (and then logged to collect information about the target) to possibly executing arbitrary commands on the target host through malicious email. The following example was given by Jim Hebert <jhebert@jhebert.cx> in his post to BugTraq:


echo 'setenv WWW www.securityfocus.com' >> .tcshrc
source .tcshrc
pine
(view a link I mailed myself like: http://$WWW )
it works, I visit securityfocus.