CVE-2008-0386: Input Validation
Description of problem: The generic handler of xdg-open (i.e. when not running in KDE, GNOME or XFCE) has the following code:
browserwitharg=echo "$browser" | sed s#%s#"$1"#
if [ x"$browserwitharg" = x"$browser" ]; then "$browser" "$1"; else $browserwitharg; fi
sed interprets any commands in the argument and the result is executed by the script.
Version-Release number of selected component (if applicable): xdg-utils-1.0.2-2.fc8
How reproducible: Always
Steps to Reproduce: 1. uninstall perl-File-MimeInfo package (not necessary with xdg-utils-1.0.2-3) 2. start plain X session 3. xdg-open 'http://foo.org/bar#;g;sx$xtouch:foox' Actual results: File foo created.
Expected results: The page opened in a web browser.
Additional info:
Other sources
Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2008-0386?
CVE-2008-0386 is classified as a moderate severity vulnerability.
How do I fix CVE-2008-0386?
To fix CVE-2008-0386, update xdg-utils to version 1.0.3 or later.
Which software versions are affected by CVE-2008-0386?
CVE-2008-0386 affects xdg-utils versions 1.0.2 and earlier.
What type of attacks does CVE-2008-0386 allow?
CVE-2008-0386 allows user-assisted remote attackers to execute arbitrary commands.
Can CVE-2008-0386 affect my Linux system?
CVE-2008-0386 can affect Linux systems using vulnerable versions of xdg-utils.