Bug 7178 - Pine: expanding env vars in URLs (from Bugtraq)
Summary: Pine: expanding env vars in URLs (from Bugtraq)
Status: CLOSED DUPLICATE of bug 3782
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pine
Version: 6.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Mike A. Harris
QA Contact:
URL: http://www.securityfocus.com/template...
Depends On:
TreeView+ depends on / blocked
Reported: 1999-11-20 16:21 UTC by peterw
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2000-02-03 18:37:11 UTC

Attachments (Terms of Use)

Description peterw 1999-11-20 16:21:51 UTC
Pine automatically recognizes URL's in plaintext messages and makes them
hyperlinks that can launch/spawn Web browsers, typically Lynx. If a user
receives an email with a hyperlink that contains a "$", in the process of
launching the Web browser, the apparent variable will be expanded. This can
be used to trick users into running arbitrary commands eith URL's like


(which requests "http://localhost/" and executes "cp /dev/null

This has been verified with pine-4.10-3 from Red Hat 6.1 (i386).

According to the bugtraq post, newer versions of Pine have fixed this


Comment 1 Elliot Lee 2000-02-03 18:37:59 UTC
*** This bug has been marked as a duplicate of 3782 ***

Note You need to log in before you can comment on or make changes to this bug.