#2686 HIGH Untriag: Clicking link in News Reader brings up wrong page in Web Browser (shell metachar insecurity)
Zarro Boogs per Child
bugtracker at laptop.org
Mon Aug 6 06:36:39 EDT 2007
#2686: Clicking link in News Reader brings up wrong page in Web Browser (shell
metachar insecurity)
-------------------------------------+--------------------------------------
Reporter: gnu | Owner: jg
Type: defect | Status: new
Priority: high | Milestone: Untriaged
Component: new component | Version: Build 542
Keywords: rss newsreader security | Verified: 0
-------------------------------------+--------------------------------------
I used the news reader (RSS reader) to look at Planet OLPC. I scrolled
down to Joel Stanley's article of Sat, July 28, 2007, 12:41:56 "Hey
Charger?". Hovering over the first link in the message (on the word
"article" in the second sentence) shows the link in the bottom margin
(http://www.linuxworld.com.au/index.php/id;193757623;fp;16;fpid;0). When
I clicked on the link, it correctly brought me to the Web activity -- but
to the wrong page on www.linuxworld.com.
When I read the page by going to http://planet.laptop.org on an ordinary
FC6 machine, the link works and takes me straight to the article, as
expected.
Maybe it's sensitive to semicolons (or other shell metacharacters) in
URLs??? Eek! indeed, it brought me to
"http://www.linuxworld.com.au/index.php/id". Can you say exploit?
--
Ticket URL: <https://dev.laptop.org/ticket/2686>
One Laptop Per Child <http://laptop.org/>
More information about the Bugs
mailing list