lixlpixel has reported a vulnerability in Mac OS X, potentially allowing malicious web sites to compromise a vulnerable system.
The problem is that the “help” URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using “help:runscript”.
It is reportedly possible to place arbitrary files in a known location, including script files, on a user’s system if the Safari browser has been configured to (“Open “safe” files after download”) (default behaviour) by asking a user to download a “.dmg” (disk image) file.
This has been confirmed on Macintosh OS X using Safari 1.2.1 (v125.1) and Internet Explorer 5.2.
Uncheck (“Open “safe” files after download”) in “Safari -> Preferences -> General”.
Do not surf the Internet as a privileged user.
Rename the help URI handler.
Provided and/or discovered by: lixlpixel
Proof of Concept: copy/paste “help://cat /etc/passwd” in the address bar
This is a harmless POC that will launch the help and dump the passwd file.