[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: was: [oss-security] SA29489 CenterIM URL handling flaw
From:       Nico Golde <oss-security+ml () ngolde ! de>
Date:       2008-03-28 0:22:33
Message-ID: 20080328002233.GF19773 () ngolde ! de
[Download RAW message or body]


Hi Steven,
* Steven M. Christey <coley@linus.mitre.org> [2008-03-28 00:01]:
> On Tue, 25 Mar 2008, Nico Golde wrote:
> > * Nico Golde <oss-security+ml@ngolde.de> [2008-03-25 16:25]:
> > > * Lubomir Kundrak <lkundrak@redhat.com> [2008-03-24 15:08]:
[...] 
> > > That's partly true. While centerim has no special URL
> > > handler to handle incoming urls it does provide the ability
> > > to list urls in a message by pressing F2. If you press enter
> > > on one of these urls it tries to open it in an external
> > > browser and executes the other commands as well.
> 
> This is the kind of situation that CVE adopted the "user-assisted" term
> for: the user assists the attacker in his/her own demise.

makes sense.

> > > You see the commands in the URL however so I think the
> > > impact of this is like sending someone a message with
> > > "please type rm -rf ~ in your shell" so the secunia rating
> > > is a bit beyond the actual impact.
> 
> Is the URL still encoded at the time it is viewed?  if so, then I don't
> expect a typical user to notice this equivalent of "rm -rf *":
> 
>   %72%6D%20%2D%72%66%20%2A
> 
> and that's part of the "smell test" for user-assisted issues.

Nope it won't be encoded. Otherwise I would agree that a 
decoding hex is too much for a user :)

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]