Programs displaying text by using a MUI text object can be forced to execute Shell commands via active PIPE: devices with particular escape sequences. To say it clearly: It's theoretically possible to force for example YAM via a mail with specifically manipulated subject line to delete files on the computer of the receiving person.

It's not an error in MUI or AwnPIPE:/APIPE:, it should be the task of the programmers to filter such sequences before displaying text received via the Internet.

As first security measure it is recommended not to use affected programs anymore or not to mount AwnPIPE:/APIPE: devices during the boot process (remove all PIPE: icons from SYS:Devs/DosDrivers/).

Affected applicationen are for example YAM and StrICQ.

Not affected are the products of Vaporware, obviously the ESC sequences get already filtered here (it's not said from which program versions on).

Update:
Jens Langner, one of the lead programmers of YAM, points out that a hotfix is already in the works and that there'll soon be a 2.3 fix release removing this security leak in YAM.

Update II:
Hynek Schlawack and Sebastian Bauer will as soon as possible release a fix for SimpleMail.

Update III:
As the original text shows seems this exploit danger to be not given using PIPE: as this doesn't offer any start possibilities: "The standard AmigaOS PIPE: is not affected since it is incapable of executing commands". Therefore was the above text changed accordingly. (ps) (Translation: wk)

[News message: 10. Nov. 2001, 18:07] [Comments: 0]
[Send via e-mail]  [Print version]  [ASCII version]