Home page logo

bugtraq logo Bugtraq mailing list archives

Re: URI handling as the harbinger of interaction errors
From: Florian Weimer <fw () deneb enyo de>
Date: Thu, 11 Oct 2007 18:49:04 +0200

* Steven M. Christey:

Throughout this whole discussion on URI handling and IE, let's not
forget that:

1) ANY technology that uses "handlers" that pass commands and
   arguments from one process to another, is likely to have these
   kinds of issues.  Web browsers are just the first to get this kind
   of attention.  All products that support plugins, whether web-based
   or not, should be examined for this type of problem.

Uh, the "first" part is not quite true.  There was some discussion about
mailcap entries, and whether you should use %s or '%s' at some time in
the 90s.

2) Programs that were formerly assumed to be safe because they were
   only ever intended to be invoked by a single user, will now become
   unsafe if they're referenced in a handler.  Think second-order
   symlink issues as one example, or buffer overflows in command-line
   arguments for non-setuid programs that are likely to be used in
   handlers (image converters, anyone?)

Again, we have been though this with *roff, Ghostscript (and its various
front ends), DVI viewers and TeX itself, and many more (and the classic
"unshar", of course).  It's just another round on a different operating

Image viewers are particularly interesting because even if your favorite
and bug-ridden MIME types like image/gif are handled by a (supposedly
patched) mail/web client, chances are that the image viewer recognizes a
GIF image even if it is declared as image/x-xwindowdump, exposing its
vulnerable GIF code.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]