Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

pinepolicy.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

Vulnerability in Pine allows bypassing site policies to run arbitrary commands; upgrade to version 4.03.

Code
`Date: Mon, 7 Sep 1998 12:18:28 +0100  
From: Chris Wilson <[email protected]>  
  
Hey people,  
  
I've discovered a vulnerability in Pine, tested on version 3.95q, but  
which probably applies to all versions up to 4.02. This vulnerability  
allows users to bypass site policies and use Pine to run arbitrary  
commands in the user's name. Many sites use site policies to disable this,  
in order to prevent users from running arbitrary commands.  
  
This vulnerability was reported to the authors last week, and they have  
very rapidly responded by releasing a new version, 4.03, which they claim  
fixes the bug. I haven't tested this for myself. The new version is  
available from ftp://ftp.cac.washington.edu/pine/pine.tar.Z (source code).  
  
The vulnerability is as follows: when setting up a printer, it is possible  
to choose the "Personally selected print command" option. This allows you  
to specify a command which Pine will run whenever it needs to print a  
document. By changing the value of this setting, it is possible to have an  
arbitrary command run for you when you print, say, an e-mail. Therefore,  
system administrators usually disable this ability with an option in their  
pine.conf.fixed file.  
  
When the SA has done this, users cannot choose a custom print command for  
themselves using Pine's Printer Setup. However, if they manually modify  
their .pinerc file, adding a line such as:  
  
printer=test [] echo Hello there! > test  
  
then this will override the Site Policies and, when a file is next printed  
from Pine, the command will be executed in contravention to the Site  
Policy.  
  
I recommend that all systems which restrict users' ability to run  
arbitrary commands and allow them to run Pine, should be upgraded to Pine  
4.03.  
  
Cheers, Chris.  
___ __ _  
/'__// / ,__(_)_ Wilson <[email protected]> ----------------- -  
/ (_ / ,\/ _/ /_ \ Webmaster/SysAdmin/Timelord/BOFH/Programmer --------- -  
\__//_/_/_//_/___/ "1998 isn't MCMXCVIII. The Romans would have used MIIM"  
  
DISCLAIMER: This message is not real. Nothing ever happened. I am a figment  
of your imagination. I do not exist. Bill Gates is good. Bill Gates is God.  
Buy Microsoft - everything will be all right. Trust in Bill.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
vulnerability pine softwarearbitrary commandssite policiesupgrade recommendationprinter setup
28