18 Aug '13, 7pm

RCE by attached filename in suggested mime decode config for the Ruby MUA sup: (:DX #whatsup

Greetings suppers, joernchen has pointed out to me that our suggested hook for viewing html attachment has a serious security issue. The updated suggestion in [0] (wiki) should be safer. Please make sure that you update your mime-decode hook! Best regards, Gaute [0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments --- Begin forwarded message from joernchen --- From: joernchen <...> To: eg <eg at gaute.vetsj.com > Date: Sat, 17 Aug 2013 14:14:29 +0200 Subject: Security issue with suggested configuration of sup [...] At [0] the suggested configuration for viewing HTML attachments with sup using the mime-decode hook is given as follows: unless sibling_types.member? "text/plain" case content_type when "text/html" `/usr/bin/w3m -dump -T #{content_type} '#{filename}'` end end This piece of code however is prone to command injection via the file name of the attached...

Full article: http://rubyforge.org/pipermail/sup-talk/2013-August/00499...

Tweets