Bug in "Explore Working Folder" menu command

If you are having a problem using Vault, post a message here.

Moderator: SourceGear

Post Reply
TIMMCS
Posts: 3
Joined: Tue Jun 17, 2008 11:02 am

Bug in "Explore Working Folder" menu command

Post by TIMMCS » Fri Jul 04, 2008 7:40 am

Running Vault 4.1.2 on Windows 2000 SP4

I have a project folder that contains a file called UPGRADE.exe (that is not under source control but does exist in the working folder)
This project also has a sub-folder called UPGRADE (that is under source control).

From the Vault Client, I right-click on the "UPGRADE" sub-folder and choose "Explore Working Folder".

Instead of opening a copy of explorer in this folder as I would expect, the UPGRADE.exe is executed without any warning or user-interaction.

I am assuming this is a problem caused by the subfolder having the same name as the EXE, as the explore-working-folder command seems to function properly on other folders.

This at first seems to be a minor bug, but actually is a pretty major security risk, as a malicious team-member could exploit this to trick other users into executing arbitrary code (simply by placing an EXE with the same name as a sub-folder into the project and waiting for victims to use the "explore working folder" feature).
Top
lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Post by lbauer » Fri Jul 04, 2008 2:23 pm

Hopefully you have developers working on code, rather than sabotage, but you're right -- it's definitely a bug. I don't think we've had reports of this before.

I'll log as a bug and we'll look into this further.
Linda Bauer
SourceGear
Technical Support Manager
Top
Post Reply

Return to “Support (Vault)”