Christoph Gutjahr (ANF)
|Serious security leak in MUI Internet programs? (update)|
Following the title link you find an English written document that reveals a severe
security leak in MUI programs.
Programs displaying text by using a MUI text object can be forced to execute
Shell commands via active PIPE: devices with particular escape sequences. To say
it clearly: It's theoretically possible to force for example YAM via a mail with
specifically manipulated subject line to delete files on the computer of the
It's not an error in MUI or AwnPIPE:/APIPE:, it should be the task of the
programmers to filter such sequences before displaying text received via the
As first security measure it is recommended not to use affected programs
anymore or not to mount AwnPIPE:/APIPE: devices during the boot process (remove all PIPE:
icons from SYS:Devs/DosDrivers/).
Affected applicationen are for example YAM and StrICQ.
Not affected are the products of Vaporware, obviously the ESC sequences get
already filtered here (it's not said from which program versions on).
Jens Langner, one of the
lead programmers of YAM, points out that a hotfix is already in the works and
that there'll soon be a 2.3 fix release removing this security leak in YAM.
Hynek Schlawack and Sebastian
Bauer will as soon as possible release a fix for SimpleMail.
As the original text shows seems this exploit danger to be not given using PIPE: as this
doesn't offer any start possibilities: "The standard AmigaOS PIPE: is not
affected since it is incapable of executing commands". Therefore was the above text changed
accordingly. (ps) (Translation: wk)
[News message: 10. Nov. 2001, 18:07] [Comments: 0]
[Send via e-mail] [Print version] [ASCII version]