[Secure-testing-team] Bug#696917: roxterm does not handle quotes in URLs correctly
Michael Tokarev
mjt at tls.msk.ru
Sat Dec 29 11:49:47 UTC 2012
Source: roxterm
Version: 2.6.5-1
Severity: grave
Tags: security
When trying to click on an URL inside the roxterm window that contains
a single quote ('), the resulting command sent to the shell includes
this quote and is interpreted by the shell, for example:
http://example.com/quote'here
will be handled as
x-www-browser 'http://example.com/quote'here'
In this example, shell will complain that there's no closing quote before
the end of command, but I can guess this can be (ab)used for some more
interesting scenarious, like to spawn commands unexpectedly:
http://example.com/one'foo|bar'two
or the like. The charset allowed in this context does not contain space
and tab, so it isn't directly possible to run some even more interesting
commands (like rm -rf /), but it is enough for a good exploit already.
I think this issue deserves a CVE#.
Thanks,
/mjt
More information about the Secure-testing-team
mailing list