lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5221F186.5060808@hardfalcon.net>
Date: Sat, 31 Aug 2013 15:37:10 +0200
From: hardfalcon@...dfalcon.net
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Defense in depth -- the Microsoft way (part
 9): erroneous documentation

I am truly shocked that seemingly, stuff like this needs to be said in
the year of 2013. I'd have supposed that things like these should be
known by *anyone* doing anything even remotely similar to software
development *at least* since the end of the 8.3 filename era 15 years
ago. Are you sure this is real and not a prank? o_O

regards
Pascal Ernster


On 31.08.2013 12:58, Stefan Kanthak wrote:
> Hi,
>
> in <http://seclists.org/fulldisclosure/2013/Aug/75> I documented
> beginners errors (unquoted pathnames containing spaces) not only
> in Microsoft products.
>
> Microsofts developer documentation but shows these beginners errors
> too (and is inconsistent, even in single topics).
>
> Examples:
>
> <http://msdn.microsoft.com/library/cc144171.aspx>
>
> | HKEY_CLASSES_ROOT
> |   txtile
> ...
> |               Shell
> ...
> |                  cmd2
> ...
> |                     command
> |                        (Default) = C:\Program Files\Windows NT\Accessories\wordpad.exe %1
>                                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~
>
> <http://msdn.microsoft.com/library/bb165967.aspx>
>
> | [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command]
> | @="C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe \"%1\""
>      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> | [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command]
> | @="\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe\" \"%1\""
>
>
> <http://msdn.microsoft.com/library/cc144083.aspx>
>
> | HKEY_LOCAL_MACHINE
> |   SOFTWARE
> |      Classes
> |         contoso-search
> |            shell
> |               open
> |                  command
> |                     (Default) = "%ProgramFiles%\Contoso\Search\contososearch.exe %1"
>                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~
>
> <http://msdn.microsoft.com/library/cc144154.aspx>
>
> | HKEY_LOCAL_MACHINE
> |   SOFTWARE
> |      Classes
> |         LitwarePlayer11.AssocFile....
> ...
> |            shell
> |               open
> |                  command
> |                     (Default) = %ProgramFiles%\Litware\litware.exe
>                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> <http://msdn.microsoft.com/library/hh127450.aspx>
>
> | HKEY_CLASSES_ROOT
> |   CLSID
> |      {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40}
> |         Shell
> |            Open
> |               Command
> |                  (Default) = [REG_EXPAND_SZ] %ProgramFiles%\MyCorp\MyApp.exe /Settings
>                                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> <http://msdn.microsoft.com/library/cc144188.aspx>
>
> | <sh:task id="{3B75A7AE-C4E4-4E5A-9420-7CECCDA75425}"> 
> |    <!-- This is a generated GUID, specific to this task link -->
> |    <sh:name>@myTextResources.dll,-100</sh:name>
> |    <sh:keywords>@myTextResources.dll,-101</sh:keywords>
> |    <sh:command>%ProgramFiles%\Microsoft Games\Solitaire\solitaire.exe</sh:command>
>                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> | </sh:task>
>
>
> Example with ambiguous/inconsistent use of quotes:
>
> <http://msdn.microsoft.com/en-us/library/aa767914.aspx>
>
> | HKEY_CLASSES_ROOT
> |   alert
> |      (Default) = "URL:Alert Protocol"
>                    ^                  ^
> |      URL Protocol = ""
>                       ^^
> |      DefaultIcon
> |         (Default) = "alert.exe,1"
>                       ^           ^
> |      shell
> |         open
> |            command
> |               (Default) = "C:\Program Files\Alert\alert.exe" "%1"
>
>
> Counterexamples:
>
> <http://msdn.microsoft.com/library/cc144175.aspx>
> <http://msdn.microsoft.com/library/cc144101.aspx>
>
> | Note: If any element of the command string contains or might contain
> | spaces, it must be enclosed in quotation marks. Otherwise, if the
> | element contains a space, it will not parse correctly. For instance,
> | "My Program.exe" starts the application properly. If you use
> | My Program.exe without quotation marks, then the system attempts to
> | launch My with Program.exe as its first command line argument. You
> | should always use quotation marks with arguments such as "%1" that are
> | expanded to strings by the Shell, because you cannot be certain that
> | the string will not contain a space.
>
>
> <http://msdn.microsoft.com/library/dd203067.aspx>
> <http://msdn.microsoft.com/library/cc144109.aspx>
>
>
> regards
> Stefan Kanthak
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ