Page 1 of 1

Shell extension uses unquoted program path

PostPosted: Thu Jan 10, 2013 10:49 am
by AnandBhat
After reading https://isc.sans.edu/diary/Help+elimina ... ties/14464, I noticed an unquoted path vulnerability in the WinMerge shell extension feature. I tried the latest Alpha release (2.13.21 alpha) and the issue continues to be present. Can you please have this addressed in your next release?

Steps to reproduce the issue:
1. Install WinMerge in the default location (C:\Program Files\WinMerge) and enable shell extensions.
2. Create a copy of calc.exe and place it as C:\program.exe
3. Attempt to use the shell extension (either Compare or Compare As... after selecting two files or directories).
4. The copy of calc.exe opens up instead of WinMerge, indicating the the shell extension tried to invoke WinMerge using an unquoted command path.

Let me know if you need any other details.

Re: Shell extension uses unquoted program path

PostPosted: Sun Jan 13, 2013 5:52 pm
by jtuc

Re: Shell extension uses unquoted program path

PostPosted: Tue Jan 15, 2013 5:53 am
by AnandBhat
Thanks!

Re: Shell extension uses unquoted program path

PostPosted: Wed Feb 20, 2013 2:01 am
by christianlist
This particular bug is now fixed in WinMerge 2.14.0

But I left my copy of Calc.exe at C:\Program.exe and noticed another bug:
When WinMerge is launched from TortoiseSVN it too uses unquoted paths.
It turns out that our installer integration with TortoiseSVN (and possible the other integrations too) is adding the integration using an unquoted path.

Re: Shell extension uses unquoted program path

PostPosted: Sun Jul 28, 2013 11:34 am
by ethan3
AnandBhat wrote:After reading https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464, I noticed an unquoted path vulnerability in the WinMerge shell extension feature. I tried the latest Alpha release (2.13.21 alpha) and the issue continues to be present. Can you please have this addressed in your next release?

Steps to reproduce the issue:
1. Install WinMerge in the default location (C:\Program Files\WinMerge) and enable shell extensions.
2. Create a copy of calc.exe and place it as C:\program.exe
3. Attempt to use the shell extension (either Compare or Compare As... after selecting two files or directories).
4. The copy of calc.exe opens up instead of WinMerge, indicating the the shell extension tried to invoke WinMerge using an unquoted command path.

Let me know if you need any other details.

I am using WinMerge Portable 2.14.0 without any bugs. It is included full support for archives with the bundled 7-Zip plugin.