Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 Jan 2009 14:46:46 -0500 (EST)
From: Josh Bressers <>
To: oss-security <>
Subject: Fwd: Using xdg-open in /etc/mailcap causes hole in Firefox
 (Demonstration/Exploit included)

Here's a heads up for everyone (I've CCd the discoverer)

Steve, can you assign a CVE id.


----- Forwarded Message -----


as I've seen, you also seem to use xdg-open in /etc/mailcap.

The problem is, that xdg-open, itself, detects the right mime-type. This allowes an attacker to deliver a dangerous file with a trustworthy mime-type to get it executed by xdg-open.

I've created an example page: (With SSL) (Without SSL)

This page delivers a .desktop file with the mime-type "application/pdf". In default configuration, Firefox offers to open this file with the default application, which is xdg-open. Just one click on "OK" (and most users won't have a closer look at the dialog!) and the content in the .desktop file is immediately executed!

Other combinations are possible, I just got the first result with .desktop files. There may be other dangerous types, Firefox may be tricked to open with xdg-open. It's even possible to hide the real file type.

See also:
Problem: Their security bugs are open to the public :-( Fast reaction would be required :-(


Manuel Reimer
()  ascii ribbon campaign - against html mail
/\                        - gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!

Sensationsangebot verlängert: GMX FreeDSL - Telefonanschluss + DSL 
für nur 16,37 Euro/mtl.!*

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ