Re: [Full-Disclosure] shell:windows command question

[Keith]

I am the one that reported http://bugzilla.mozilla.org/show_bug.cgi?id=167475.  Since, I saw the debug team marked the report public, I will comment on it.  I agree with Andreas that it is a very serious security flaw.  When I was playing around with it I found some of the suffixes it responded to are   mov grp its mp3 txt ppt doc xls xsl avi psd ai js attempts to run with wscript vbs attempts to run with wscript reg zip sql opens in notepad.exe mdb shs (scrap) chm config opens in visual studio aspx opens in visual studio dbs opens in visual studio eml   The most obviously dangerous extensions being .vbs, .js, .reg.  I am sure there are many more.    This is dangerous as any program called by the command runs with local zone privileges.  So until the patch is applied any script or program can be called from the address bar by shell:pathtofile.  Also, Andreas is right about the potential of a buffer overflow.  Along with the .mp3 and .grp extensions he mentioned, .eml files also seem to be susceptible to this.  Hopefully the patch will be available soon and it will stop more then just the extensions named in previous posts.   As a side note, I was very impressed with the Mozilla team’s response.  They were very fast and Bugzilla keeps the reporter in the loop.  On the other hand, when I reported a similar use of the shell command to MS and explained how it could be used to escalated privileges their replay was “Thank you for your note. While a remote server can get local data to display in the client browser window by using these protocol handlers, it is not able to read the data itself.”  As we have seen, Jelmer and http-equiv have shown that this certainly is the case.