Bug 7178 - Pine: expanding env vars in URLs (from Bugtraq)
Summary: Pine: expanding env vars in URLs (from Bugtraq)
Keywords:
Status: CLOSED DUPLICATE of bug 3782
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pine
Version: 6.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Mike A. Harris
QA Contact:
URL: http://www.securityfocus.com/template...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-11-20 16:21 UTC by peterw
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-02-03 18:37:11 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description peterw 1999-11-20 16:21:51 UTC 
Pine automatically recognizes URL's in plaintext messages and makes them
hyperlinks that can launch/spawn Web browsers, typically Lynx. If a user
receives an email with a hyperlink that contains a "$", in the process of
launching the Web browser, the apparent variable will be expanded. This can
be used to trick users into running arbitrary commands eith URL's like

http://localhost/#$(cp$IFS/dev/null$IFS/tmp/phackp)

(which requests "http://localhost/" and executes "cp /dev/null
/tmp/phackp")

This has been verified with pine-4.10-3 from Red Hat 6.1 (i386).

According to the bugtraq post, newer versions of Pine have fixed this
problem.

-Peter
Comment 1 Elliot Lee 2000-02-03 18:37:59 UTC 
*** This bug has been marked as a duplicate of 3782 ***
Note You need to log in before you can comment on or make changes to this bug.