KitzKikz  KitzKikz: SogudiIssues_20060101   RecentChanges 
 Home | Trail - SogudiIssues_2006...

TITLE: Security bug.


Shell command called w/o input verification. This should not happen ... please read a book about basic programming stuff.


<a href="man:huhu;touch">do anything i want</a>

make a regex s/[^A-Za-z0-9_-]//g on the input.

regards, Tom Bille


Hey, let's not get insulting here. Mentioning a "basic" programming book, internet security, and regular expressions all in one breath is a bit over the top. I actually do scan the input for all sorts of stuff, but apparently missed the semicolon. Regex's aren't that easy to implement in Objective-C/Cocoa. Besides, your regex above doesn't cover all legitimate man uses. My current implementation doesn't either (SogudiIssues_20050413). I count on you, the considerate users, to find the things I've missed and to let me know about them in a respectful manner.

This is not as serious as it might look at first glance. While it does allow for arbitrary execution of a unix command, it doesn't allow for arguments to be passed to that command. I have difficulty thinking of a single word unix command that could be disastrous, but one probably does exist. After munging around a bit, I have been able to get a single argument to pass to the extra command, so that could become a serious threat. Either way, you are absolutely correct that it should be fixed.

Keep these tests and problems coming, folks. However, please try to refrain from calling me an idiot. Thanks.


How would someone take advantage of this security issue? Would they have to have access to the computer so they could type into Safari's location field? If so, this is not a real issue for most users. If someone has physical access to the computer they can already do a lot of damage.

Could this security issue be used to escalate privileges? I.e. could someone with a normal user account use this vulnerability to perform unix commands with administrator or root privileges?


Will be fixed in the next release of Sogudi, due to come out at the end of January 2006. In the interim, if you are concerned about security, follow the instructions on SogudiPowerCustomize to turn the man: protocol portion of Sogudi off.




 EditThisPage · LinksToPage · PageInfo 01/21/06 17:48:27  ·  0.1508s