Seem to be able to launch Help.app and run a script with a URL like 'help:runscript=...',

VERIFIED DUPLICATE of bug 243699

Status

Camino Graveyard
OS Integration
VERIFIED DUPLICATE of bug 243699
14 years ago
14 years ago

People

(Reporter: Mark Newland, Assigned: Mike Pinkerton (not reading bugmail))

Tracking

Details

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a) Gecko/20040517 Camino/0.7+
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a) Gecko/20040517 Camino/0.7+

I was reading apple.slashdot.org (see url in additional information) and Camino
seems to be able to run "help:runscript=...'"
like help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt



Reproducible: Always
Steps to Reproduce:
1.Paste URL:"help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt"
2.Press return


Actual Results:  
See Date and time in help app.


I read about "vulnerability has been found in Mac OS X's Safari, which will
launch Help.app and run an arbitrary script with a URL like 'help:runscript=...', "
http://apple.slashdot.org/apple/04/05/17/1646216.shtml?tid=126&tid=172&tid=179&tid=185&tid=190
and "Serious Security Flaw in Mac OS X/Safari/Help Viewer"
http://forums.macnn.com/showthread.php?%20s=&threadid=213043&perpage=50&pagenumber=1
(Assignee)

Comment 1

14 years ago
this should have been fixed by 243699, reporter can you verify?

*** This bug has been marked as a duplicate of 243699 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
Summary: Seem to be able to launch Help.app and run a script with a URL like 'help:runscript=...', → Seem to be able to launch Help.app and run a script with a URL like 'help:runscript=...',
(Reporter)

Comment 2

14 years ago
Tested "help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt"
with 0.8b 2004051715 - date and time still show.
Status: RESOLVED → VERIFIED
dupe of public bug, removing security flag
Group: security
You need to log in before you can comment on or make changes to this bug.