FS#240 : Malicious code execution through unsanitized @SELECTED

FS#240 - Malicious code execution through unsanitized @SELECTED_URI

Attached to Project: Uzbl
Opened by why is this required (Chuzz) - 2010-08-02 10:29:35 PM
Last edited by Dieter Plaetinck (Dieter_be) - 2010-08-05 03:30:32 PM

Task Type	Bug Report
Category	uzbl-browser & sample material
Status	Closed
Assigned To	No-one
Operating System	All
Severity	Critical
Priority	Normal
Reported Version	Development
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Use of @SELECTED_URI in sh command allows remote shell command execution.

#excerpt from default config file
@bind <Button2> = sh 'if [ "\@SELECTED_URI" ]; then uzbl-browser -u "\@SELECTED_URI"; else echo "uri $(xclip -o | sed s/\\\@/%40/g)" > $4; fi'

If SELECTED_URI contains unescaped quotes part of the string will be injected in the shell command.
e.g <a href="li"nk">li"nk</a>

Demo:
http://alterchuzz.altervista.org/uzbl_rce.html

This can potentially affect anything using sh and unsanitized parameters coming from the html page.

This task depends upon

Closed by Dieter Plaetinck (Dieter_be)
2010-08-05 03:30:32 PM
Reason for closing: Fixed
Additional comments about closing: thanks chuzz and pawelz

Comments (1)
Related Tasks (0/0)

Comment by Dieter Plaetinck (Dieter_be) - 2010-08-05 03:30:18 PM

merged and released.
http://www.uzbl.org/news.php?id=29

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Uzbl

FS#240 - Malicious code execution through unsanitized @SELECTED_URI

Details

Loading...