VULHUB ™

When pine handles email formatted with or containing HTML, urls which contain shell variables defined on the local machine where the client is running are expanded when followed. This can cause many security problems, ranging from sending expanded variables to webservers in the form of cgi parameters (and then logged to collect information about the target) to possibly executing arbitrary commands on the target host through malicious email. The following example was given by Jim Hebert <jhebert@jhebert.cx> in his post to BugTraq: echo 'setenv WWW www.securityfocus.com' >> .tcshrc source .tcshrc pine (view a link I mailed myself like: http://$WWW ) it works, I visit securityfocus.

When pine handles email formatted with or containing HTML, urls which contain shell variables defined on the local machine where the client is running are expanded when followed. This can cause many security problems, ranging from sending expanded variables to webservers in the form of cgi parameters (and then logged to collect information about the target) to possibly executing arbitrary commands on the target host through malicious email. The following example was given by Jim Hebert <jhebert@jhebert.cx> in his post to BugTraq: echo 'setenv WWW www.securityfocus.com' >> .tcshrc source .tcshrc pine (view a link I mailed myself like: http://$WWW ) it works, I visit securityfocus.