2007-12-18 17:39:11
By Tim Brown
I was thinking today about the recent spate of vulnerabilities that have affected Firefox and IE where they execute external programs and it crossed my mind that konqil.icio.us and other scripts of its ilk might be vulnerable in a similar manner. Konqil.icio.us fetches the contents of the bookmarked page and uses this to execute dcop requests using system and Perl's backticks like so:
exec("dcop konqueror-" . getppid() . " konqueror-mainwindow#1 newTab "http://del.icio.us/" . $username . "?url=" . uri_escape($bookmarkurl) . "&title=" . $pagecontent->title . "¬es=" . HTML::HeadParser->new($pagecontent)->header("x-meta-description") . "&jump=close"");It might be possible for a malicious web page to sniff for the konqil.icio.us agent and return bad title data etc.
Thankfully, in Perl, there are ways to defend against such an attack, by calling external programs with parameterisation to prevent command injection. In Perl it would be something like:
system("dcop", "konqueror-" . getppid(), ...);Things get a bit more tricky when backticks are used, in the case where you wish to read back the returned value from the executed command, but again Perl leaps to our rescue and we can make use of the following pattern:
open($processhandle, "-|", "kdialog", "--title", "del.icio.us", "--inputbox", $messagestring, $defaultstring); $resultstring = <$processhandle>; close($processhandle);
It's mostly a theoretical attack given the size of the user base, but it pays to be careful. I've implemented such protection in the latest CVS version of konqil.icio.us.
Mood: Interested
Music: Nothing playing right now
You are unknown, comment