Command injection through URL in Pidgin
Ethan Blanton
elb at pidgin.im
Sun Jun 9 11:40:57 EDT 2013
John Houwer spake unto us the following wisdom:
> http://example.org/$(xterm)
> opens a xterm (linux)
>
> http://example.org/$(touch<tab>/tmp/ownage)
> Creates the File /tmp/ownage! If you use a <space> the URL will stop. If
> you use a <tab> you can inject what you want to.
>
> In preferences the browser is set to "desktop default".
>
> I think this is a major concern. The user needs to click on the link, but
> you know how it is nowadays. ;)
This is a major concern. We should be inoculated from this, but there
may be a bug. It is also possible that there's a bug in the desktop
handler, or in the program/script handling the ultimate URL. What
desktop environment are you using? On gnome we use gnome-open, and on
KDE we use kfmclient; in both cases, the URL is escaped with
g_shell_quote. Can you get a strace of this process, with arguments,
and find the exec we're actually invoking?
In general, though, I don't like this code. We should ultimately be
reducing to execv, not exec. It looks like we're using
g_spawn_command_line_sync, and we should be using g_spawn_sync.
Regardless of where the bug lies in this (in our code or in the
desktop), this should be changed.
Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130609/9cf3e05d/attachment.sig>
More information about the security
mailing list