| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1566814645.20071008131929@SECURITY.NNOV.RU> Date: Mon, 8 Oct 2007 13:19:29 +0400 From: 3APA3A <3APA3A@...URITY.NNOV.RU> To: Thierry Zoller <Thierry@...ler.lu> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Re[3]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Dear Thierry Zoller, --Saturday, October 6, 2007, 9:06:51 PM, you wrote to bugtraq@...urityfocus.com: TZ> Dear Geo., G>> If the application is what exposes the URI handling routine to untrusted G>> code from the internet, TZ> Sorry, Untrusted code from the internet ? TZ> The user clicks on a mailto link, is that untrusted code? TZ> Or the mailto link is clicked for him. What URL is is defined by RFC 1738, what mailto: is is defined by RFC 2368. String in question is definetly _not_ URL because of %xx and ". Double quote is URL delimiter and is not a part of URL, in this case application incorrectly parses and highlights URL (it should stop before "). %xx is invalid character encoding. And altogether it's, for sure, not mailto: URL. Passing unchecked user input to function called ShellExecute(), where URL is expected, is a bug. So, while there is a security vulnerability in Windows, there is also security vulnerability in mIRC, Acrobat Reader, Netscape, Miranda, Skype, because ShellExecute() behaviour is not defined for the case non-URL data is passed to URL processor. -- ~/ZARAZA http://securityvulns.com/
Powered by blists - more mailing lists