Re[3]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype

To: Thierry Zoller <Thierry@xxxxxxxxx>
Subject: Re[3]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Mon, 8 Oct 2007 13:19:29 +0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
In-reply-to: <11872098.20071006190651@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <alpine.DEB.0.82.0710051231540.5461@xxxxxxxxxxxxxxxx><096A04F511B7FD4995AE55F13824B833213116@contoso> <1074747703.20071006181321@xxxxxxxxx> <ADEBD71E92984607B8058F44523CD231@control3> <11872098.20071006190651@xxxxxxxxx>
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear Thierry Zoller,



--Saturday, October 6, 2007, 9:06:51 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx:

TZ> Dear Geo.,

G>> If the application is what exposes the URI handling routine to untrusted
G>> code from the internet,
TZ> Sorry, Untrusted code from the internet ?

TZ> The user clicks on a mailto link, is that untrusted code?
TZ> Or the mailto link is clicked for him.

What  URL  is  is defined by RFC 1738, what mailto: is is defined by RFC
2368.  String  in  question is definetly _not_ URL because of %xx and ".
Double  quote  is  URL  delimiter and is not a part of URL, in this case
application incorrectly parses and highlights URL (it should stop before
").  %xx  is  invalid character encoding. And altogether it's, for sure,
not  mailto:  URL.  Passing  unchecked  user  input  to  function called
ShellExecute(), where URL is expected, is a bug.

So,  while  there  is a security vulnerability in Windows, there is also
security  vulnerability  in  mIRC,  Acrobat  Reader,  Netscape, Miranda,
Skype,  because  ShellExecute()  behaviour  is  not defined for the case
non-URL data is passed to URL processor.

-- 
~/ZARAZA http://securityvulns.com/

References:
- URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
  - From: Juergen Schmidt
- RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
  - From: Roger A. Grimes
- Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
  - From: Thierry Zoller
- Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype
  - From: Geo.
- Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype
  - From: Thierry Zoller

Prev by Date: [security bulletin] HPSBMA02274 SSRT071445 rev.1 - HP System Management Homepage (SMH) for HP-UX, Remote Cross Site Scripting (XSS)
Next by Date: Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
Previous by thread: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
Next by thread: Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype
Index(es):
- Date
- Thread