Mozilla Linux Command Line URL Parsing Security Flaw Reported (MozillaZine) [LWN.net]

MozillaZine warns of a new firefox security problem; this one has to do with command line parsing. "For example, consider a Linux user who uses Firefox as his or her default Web browser and Mozilla Thunderbird as his or her default email client. An attacker could send an email to this user containing a link to http://local`find`host. When the user clicks on this link in Thunderbird, Firefox's URL-parsing shell script will be invoked and will execute the find command before calling Firefox to open the URL." The firefox 1.0.7 release contains the fix for this problem (and a few others).

to post comments

Evo?

Posted Sep 22, 2005 5:54 UTC (Thu) by ncm (guest, #165) [Link] (2 responses)

I can't tell if this is also a bug when Firefox is used with Evolution. I also can't tell whether it affects Galeon. Clue?

Evo?

Posted Sep 22, 2005 9:37 UTC (Thu) by nix (subscriber, #2304) [Link]

I doubt Galeon's affected. (I'll verify this on Monday, when I'm next sitting in front of a system running X.)

Evo?

Posted Sep 23, 2005 15:23 UTC (Fri) by Ross (guest, #4065) [Link]

I wondered as well. I _think_ this is due to a bug in the startup shell script wrapper's handing of arguments, and not due to normal shell command line exansion (because the latter is not a bug but expected behavior). That doesn't rule out the possibility that there is also a bug in Evolution where an external progam is called trough /bin/sh and the arguments aren't protected from expansion.

Can't reproduce this bug

Posted Sep 22, 2005 15:14 UTC (Thu) by kmccarty (subscriber, #12085) [Link] (2 responses)

As a test, I sent myself two emails with Mozilla Thunderbird. The first email was in plain text format and contained "http://local`find`host". The second email was in HTML format and contained the words "test link" linked to the same mal-formed URL. I am running Gnome on Debian Sarge and have Thunderbird set to open links in Firefox by default. Thunderbird is 1.0.2-2.sarge1.0.6 and Firefox is 1.0.4-2sarge3.

The results are as follows. For the plain-text email, Thunderbird displayed the text like this: "http://local`find`host" - so there was not even the possibility of clicking on the link to open the bad URL. For the HTML email, Firefox attempted to reach the URL http://local%60find%60host/ (and of course gives a no such host error). In case the success/failure of the embedded command makes a difference, I also tried emailing myself an HTML message with a link to "http://local`find /home/kmccarty -name .bashrc`host" and, when I click on it in Thunderbird, still have Firefox try to open the literal (escaped) link URL: http://local%60find%20/home/kmccarty%20-name%20.bashrc%60host If the shell command was ever expanded, that should have become "http://local/home/kmccarty/.bashrchost". So apparently the combination of Firefox/Thunderbird is not vulnerable.

I actually don't think I have succeeded in triggering the bug from the command-line either - the closest I've gotten has been

$ mozilla-firefox 'http://local`find /home/kmccarty -name .bashrc`host' Error: Failed to send command: 509 internal error

Anyone have a better test case?

Can't reproduce this bug

Posted Sep 27, 2005 19:33 UTC (Tue) by Chess (guest, #32711) [Link] (1 responses)

I'm using Figaro's Password Manager in combination with Firefox/Mozilla, to manage my password protected accounts. Since this "fix", it's not possible anymore to pass on the URL to get to any of those sites, e.g. firefox -remote 'openURL("http://msn.com",new-tab)'

Questionable if that is really such an important security flaw to render URL passing useless...

Can't reproduce this bug

Posted Sep 28, 2005 20:11 UTC (Wed) by Chess (guest, #32711) [Link]

For anyone having the same problem, this works now/still:
firefox -a firefox -remote "openUrl(msn.com)"