lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200710072231.l97MVj8d015391@asti.maths.usyd.edu.au>
Date: Mon, 8 Oct 2007 08:31:45 +1000
From: Paul Szabo <psz@...hs.usyd.edu.au>
To: full-disclosure@...ts.grok.org.uk, hackbunny@...tpj.org
Subject: Re: URI handling woes in Acrobat Reader, Netscape,
	Miranda, Skype

>> What I see as "root cause", is ... Windows ... may parse and re-parse
>> a command an unspecified number of times. Compared to Unix, it confuses
>> system(3) with execl(3). ...
>> A number of similar issues would be solved if Windows would respect the
>> "command with one argument" setting, parsing the registry key just once.
>
> You cannot compare them, Windows [has] ShellExecute and CreateProcess ...
> In this particular case, I have to reluctantly agree with Microsoft, due
> to my "output side bears the burden of validation" doctrine. ...
> ... you should perform normalization or validation before passing a
> command string to a function that is designed and documented to invoke
> arbitrary programs in arbitrary ways, *not* safely execute an URI ...

Windows already does special %-decoding to URL protocol handlers as per
http://msdn2.microsoft.com/en-us/library/aa767914.aspx
(whereas I do not think it does that to most other application launch
registry keys). It should also protect blanks and quote characters, and
anything else that could upset or confuse later processing.

Cheers,

Paul Szabo   psz@...hs.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ