lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <47097DA4.8010004@s0ftpj.org>
Date: Mon, 08 Oct 2007 02:45:24 +0200
From: "KJK::Hyperion" <hackbunny@...tpj.org>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,
 Miranda, Skype

Glynn Clements ha scritto:
> Modifying individual programs to protect against a shell-injection bug
> in Windows' URI handler is a workaround (mitigation strategy), not a
> fix.

I repeat. Nowhere is said that ShellExecute (the default "run stuff"
function) takes URLs. It takes strings. A desktop shortcut called
"www.google.com" can hijack execution of "www.google.com" (without a
"http://" prefix), and many other similar issues. If you pass a path to
it, it damn better had to be an absolute path. If you pass an URL, it
damn better had to be normalized. If your application handles documents
that can include URLs, you *must* implement normalization, goddamn it
(stop pasting strings together, fuckers, the sorry state of security is
entirely your goddamn fault! Skype.exe is 22 MB, surely there is room in
there for a normalization routine)

This is an issue of ambiguous strings that could be URLs or could be
not. It does suck that older applications will remain vulnerable until a
fix (if you want to lobby, lobby right. Work that angle), but I still
maintain that, in principle, this is the fault of sloppy third party
developers

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ