Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: xpdf vulnerability - CAN-2003-0434
From: stanislav shalunov (shalunovinternet2.edu)
Date: Wed Jul 09 2003 - 14:46:18 CDT
> A urlCommand like the default "netscape -remote 'openURL(%s)'"
> is OK since the %s is protected by single quotes.
How so? Consider an argument of
'`rm -rf /tmp/test`'
This expands to
netscape -remote 'openURL('`rm -rf /tmp/test`')'
where the single quotes have no effect.
A proper fix would be not to invoke shell at all, but simply fork and
Stanislav Shalunov http://www.internet2.edu/~shalunov/
"The power of accurate observation is commonly called cynicism by
those who have not got it." -- G. B. Shaw