Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

[3APA3A <3APA3A@xxxxxxxxxxxxxxxx>]

Dear Thierry Zoller,



--Saturday, October 6, 2007, 9:06:51 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx:

TZ> Dear Geo.,

G>> If the application is what exposes the URI handling routine to untrusted
G>> code from the internet,
TZ> Sorry, Untrusted code from the internet ?

TZ> The user clicks on a mailto link, is that untrusted code?
TZ> Or the mailto link is clicked for him.

What  URL  is  is defined by RFC 1738, what mailto: is is defined by RFC
2368.  String  in  question is definetly _not_ URL because of %xx and ".
Double  quote  is  URL  delimiter and is not a part of URL, in this case
application incorrectly parses and highlights URL (it should stop before
").  %xx  is  invalid character encoding. And altogether it's, for sure,
not  mailto:  URL.  Passing  unchecked  user  input  to  function called
ShellExecute(), where URL is expected, is a bug.

So,  while  there  is a security vulnerability in Windows, there is also
security  vulnerability  in  mIRC,  Acrobat  Reader,  Netscape, Miranda,
Skype,  because  ShellExecute()  behaviour  is  not defined for the case
non-URL data is passed to URL processor.

-- 
~/ZARAZA http://securityvulns.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/