Hi, the_walrus...@manlymail.net writes:
> I have just found a command line injection security vuln in > canto. The program fetches feeds from configured sites, and the > feeds contain URLs that people may want to visit. If a user > starts canto and chooses to go to one URL from one feed, canto > constructs a sh command line to visit the URL, but it doesn't > remove metachars. Therefore a malicious feed (owner turned bad, > man in the middle attack if fetched with http) can put in bad > data in all link and guid elements of the feed and use this to > hack the user when they visit some of the URLs. Not good. See my > conf.py and evil.rss files for an example. Sorry for my English! Thanks for the report, I confirm that using evil.rss creates a /tmp/1337 file when trying to launch the url in a browser. It doesn't seem to be fixed upstream. Thanks, Vincent -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
