Uzbl

Tasklist

FS#240 - Malicious code execution through unsanitized @SELECTED_URI

Attached to Project: Uzbl
Opened by why is this required (Chuzz) - 2010-08-02 10:29:35 PM
Last edited by Dieter Plaetinck (Dieter_be) - 2010-08-05 03:30:32 PM
Task Type Bug Report
Category uzbl-browser & sample material
Status Closed
Assigned To No-one
Operating System All
Severity Critical
Priority Normal
Reported Version Development
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Use of @SELECTED_URI in sh command allows remote shell command execution.

#excerpt from default config file
@bind <Button2> = sh 'if [ "\@SELECTED_URI" ]; then uzbl-browser -u "\@SELECTED_URI"; else echo "uri $(xclip -o | sed s/\\\@/%40/g)" > $4; fi'

If SELECTED_URI contains unescaped quotes part of the string will be injected in the shell command.
e.g <a href="li&quot;nk">li"nk</a>

Demo:
http://alterchuzz.altervista.org/uzbl_rce.html

This can potentially affect anything using sh and unsanitized parameters coming from the html page.
This task depends upon

Closed by  Dieter Plaetinck (Dieter_be)
2010-08-05 03:30:32 PM
Reason for closing:  Fixed
Additional comments about closing:  thanks chuzz and pawelz
Comment by Dieter Plaetinck (Dieter_be) - 2010-08-05 03:30:18 PM

Loading...