After the HelpViewer problem, and the self-URI registration in MacOSX, not to mention the telnet://-nFile overwrite on many platforms, here is yet another one using the SSH handler.
It has not been determined if this vulnerability can be successfully exploited on linux, but it seems that konqueror is protected, while Firefox/etc are not. I wish I could test it but it seems that there is a bug in Gnome 2.6.1 and theses uri handlers which prevented the successfull exploitation. Else than that, the Gnome browsers would be all vulnerable.
On MacOSX, it is still possible to use paths (like /path/to/xx and :path:to:xxx) in URI links, despite the recent fix which filtered them out, using URL Encoding.
This weakness allows a new URI + SSH exploit, using the ProxyCommand option of ssh clients. This option is used to execute a proxy application which will be launched between the ssh client and the actually connection. Unfortunately, this option can also be used to execute arbitrary commands.
Safari,Camino,Firefox,Mozilla have been reported vulnerable on OSX.
My policy is usually to keep such things private, to research them to their full extend, then to start informing the vendors, and publishing the problem to the public after a fix has been issued or a few monthes without answers. However, as you know, two or three vulnerabilities are already discussing of the same kind of problems (which were reported and disclosed before my owns researches anyway), and one is not yet fixed in MacOSX.
Therefore I think it is in the best interest that people know about it to protect themselves.
