[framework-issues] [Issue 72543] Apostrophes are not escape d in links, which allows executing arbitrary c ode

Wed, 13 Dec 2006 09:39:37 -0800 

To comment on the following update, log in, then open the issue:
http://www.openoffice.org/issues/show_bug.cgi?id=72543
                 Issue #|72543
                 Summary|Apostrophes are not escaped in links, which allows exe
                        |cuting arbitrary code
               Component|framework
                 Version|OOo 2.0.4
                Platform|Opteron/x86_64
                     URL|
              OS/Version|All
                  Status|UNCONFIRMED
       Status whiteboard|
                Keywords|
              Resolution|
              Issue type|DEFECT
                Priority|P1
            Subcomponent|ui
             Assigned to|tm
             Reported by|pqe7avr





------- Additional comments from [EMAIL PROTECTED] Wed Dec 13 09:39:36 -0800 
2006 -------
Opening the attached demo_listing_home_directory_to_console.odt by issuing
ooffice2 demo_listing_home_directory_to_console.odt
in bash and clicking on the "Not so harmless link" opens up a browser showing a 
wiktionary entry. 
However in the background, the contents of the current users home directory are 
listed.

The reason is that the link contains an apostrophe character.
When clicking the link, the url of the link is passed to a script to be opened 
with the default handler 
(e.g.: open-url). In this passing, the url is wrapped in apostrophes, like
open-url 'URL'
. In the given example, the link contains apostrophes itself. Therefore, the 
call comes down to
open-url 'http://en.wiktionary.org/wiki/harmless';CMD=lsx-lx$HOME;IFS=x;$CMD;#''
which calls 
open-url 'http://en.wiktionary.org/wiki/harmless'
and afterwards executes
CMD=lsx-lx$HOME;IFS=x;$CMD;#''
. By replacing the later part, arbitrary code can be executed with the rights 
of the current user.

---------------------------------------------------------------------
Please do not reply to this automatically generated notification from
Issue Tracker. Please log onto the website and enter your comments.
http://qa.openoffice.org/issue_handling/project_issues.html#notification

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to