BugTraq
URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 05 2007 12:58PM
Juergen Schmidt (ju heisec de) (3 replies)
Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 09 2007 11:03AM
Andreas Lindenblatt (azrael solution de)
Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 09 2007 06:33AM
Andreas Lindenblatt (azrael solution de)
RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 05 2007 07:54PM
Roger A. Grimes (roger banneretcs com) (1 replies)
Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 06 2007 04:13PM
Thierry Zoller (Thierry Zoller lu) (2 replies)
RE: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 07 2007 01:30AM
Roger A. Grimes (roger banneretcs com)
Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Oct 06 2007 04:43PM
Geo. (geoincidents nls net) (3 replies)
Re: URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Oct 11 2007 12:48PM
Thierry Zoller (Thierry Zoller lu)
Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Oct 06 2007 05:06PM
Thierry Zoller (Thierry Zoller lu) (3 replies)
Re: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Oct 06 2007 06:52PM
Kurt Dillard (kurtdillard msn com) (1 replies)
Re: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Oct 07 2007 01:40PM
Glynn Clements (glynn gclements plus com) (1 replies)
Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 08 2007 12:45AM
KJK::Hyperion (hackbunny s0ftpj org) (1 replies)
Glynn Clements ha scritto:
> Modifying individual programs to protect against a shell-injection bug
> in Windows' URI handler is a workaround (mitigation strategy), not a
> fix.

I repeat. Nowhere is said that ShellExecute (the default "run stuff"
function) takes URLs. It takes strings. A desktop shortcut called
"www.google.com" can hijack execution of "www.google.com" (without a
"http://" prefix), and many other similar issues. If you pass a path to
it, it damn better had to be an absolute path. If you pass an URL, it
damn better had to be normalized. If your application handles documents
that can include URLs, you *must* implement normalization, goddamn it
(stop pasting strings together, fuckers, the sorry state of security is
entirely your goddamn fault! Skype.exe is 22 MB, surely there is room in
there for a normalization routine)

This is an issue of ambiguous strings that could be URLs or could be
not. It does suck that older applications will remain vulnerable until a
fix (if you want to lobby, lobby right. Work that angle), but I still
maintain that, in principle, this is the fault of sloppy third party
developers

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus