10.Nov.2001
Christoph Gutjahr (ANF)
|
Serious security leak in MUI Internet programs? (update)
Following the title link you find an English written document that reveals a severe
security leak in MUI programs.
Programs displaying text by using a MUI text object can be forced to execute
Shell commands via active PIPE: devices with particular escape sequences. To say
it clearly: It's theoretically possible to force for example YAM via a mail with
specifically manipulated subject line to delete files on the computer of the
receiving person.
It's not an error in MUI or AwnPIPE:/APIPE:, it should be the task of the
programmers to filter such sequences before displaying text received via the
Internet.
As first security measure it is recommended not to use affected programs
anymore or not to mount AwnPIPE:/APIPE: devices during the boot process (remove all PIPE:
icons from SYS:Devs/DosDrivers/).
Affected applicationen are for example YAM and StrICQ.
Not affected are the products of Vaporware, obviously the ESC sequences get
already filtered here (it's not said from which program versions on).
Update:
Jens Langner, one of the
lead programmers of YAM, points out that a hotfix is already in the works and
that there'll soon be a 2.3 fix release removing this security leak in YAM.
Update II:
Hynek Schlawack and Sebastian
Bauer will as soon as possible release a fix for SimpleMail.
Update III:
As the original text shows seems this exploit danger to be not given using PIPE: as this
doesn't offer any start possibilities: "The standard AmigaOS PIPE: is not
affected since it is incapable of executing commands". Therefore was the above text changed
accordingly. (ps) (Translation: wk)
[News message: 10. Nov. 2001, 18:07] [Comments: 0]
[Send via e-mail] [Print version] [ASCII version]
|
09.Nov.2001
Christoph Gutjahr (ANF)
|
Skins for the OS3.9 audio CD player
A collection of new skins for the audio CD player of OS 3.9 can be found
at the title link.
(ps) (Translation: rh)
[News message: 09. Nov. 2001, 20:16] [Comments: 0]
[Send via e-mail] [Print version] [ASCII version]
|
07.Nov.2001
Jens Schönfeld (ANF)
|
First software for VarIO interface card
On the support section of the website of individual Computers you can
find a first archive with software for the new IO-board VarIO. The driver also recognizes the serial interface Silversurfer and thus replaces the old silversurfer.device. The installer script is easy to understand and in two languages. Before you install it you should delete the silversurfer.device but the hardware should keep to be installed.
(ps) (Translation: dr)
[News message: 07. Nov. 2001, 22:52] [Comments: 0]
[Send via e-mail] [Print version] [ASCII version]
|