:: Re: [DNG] VBScript Injection via GN…
Página Principal
Delete this message
Reply to this message
Autor: Rick Moen
Data:  
Para: dng
Assunto: Re: [DNG] VBScript Injection via GNOME Thumbnailer
Quoting Joachim Fahrner (jf@???):

> Another nice bug in Gnome:
> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html


I feel almost dirty making excuses for GNOME ;-> , but this bug in
/usr/bin/gnome-exe-thumbnailer appears to be exploitable only if WINE
is installed and findable by that GNOME utility. The thumbnailer
invokes WINE's cscript.exe, which appears to be a Windows Scripting Host
command interpreter -- and thus run VBScript.

OTOH, clearly the parser code in /usr/bin/gnome-exe-thumbnailer is
rubbish, as it shouldn't be possible to fool it into processing embedded
VBSCript in a filename.

-- 
Cheers,                                      299792458 meters per second.  Not
Rick Moen                                    just a good idea.  It's the law.
rick@???                
McQ! (4x80