Bug 7178 - Pine: expanding env vars in URLs (from Bugtraq)
Summary: Pine: expanding env vars in URLs (from Bugtraq)
Status: CLOSED DUPLICATE of bug 3782
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pine   
(Show other bugs)
Version: 6.1
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Mike A. Harris
QA Contact:
URL: http://www.securityfocus.com/template...
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-11-20 16:21 UTC by peterw
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-02-03 18:37:11 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description peterw 1999-11-20 16:21:51 UTC
Pine automatically recognizes URL's in plaintext messages and makes them
hyperlinks that can launch/spawn Web browsers, typically Lynx. If a user
receives an email with a hyperlink that contains a "$", in the process of
launching the Web browser, the apparent variable will be expanded. This can
be used to trick users into running arbitrary commands eith URL's like

http://localhost/#$(cp$IFS/dev/null$IFS/tmp/phackp)

(which requests "http://localhost/" and executes "cp /dev/null
/tmp/phackp")

This has been verified with pine-4.10-3 from Red Hat 6.1 (i386).

According to the bugtraq post, newer versions of Pine have fixed this
problem.

-Peter

Comment 1 Elliot Lee 2000-02-03 18:37:59 UTC
*** This bug has been marked as a duplicate of 3782 ***


Note You need to log in before you can comment on or make changes to this bug.