Pine automatically recognizes URL's in plaintext messages and makes them hyperlinks that can launch/spawn Web browsers, typically Lynx. If a user receives an email with a hyperlink that contains a "$", in the process of launching the Web browser, the apparent variable will be expanded. This can be used to trick users into running arbitrary commands eith URL's like http://localhost/#$(cp$IFS/dev/null$IFS/tmp/phackp) (which requests "http://localhost/" and executes "cp /dev/null /tmp/phackp") This has been verified with pine-4.10-3 from Red Hat 6.1 (i386). According to the bugtraq post, newer versions of Pine have fixed this problem. -Peter
*** This bug has been marked as a duplicate of 3782 ***