Passing on:

10. Pine Environment Variable Expansion in URLS Vulnerability
BugTraq ID: 810
Remote: Yes
Date Published: 1999-11-18
Relevant URL: http://www.securityfocus.com/bid/810
Summary:

When pine handles email formatted with or containing HTML, urls which
contain shell variables defined on the local machine where the client is
running are expanded when followed.  This can cause many security
problems, ranging from sending expanded variables to webservers in the
form of cgi parameters (and then logged to collect information about the
target) to possibly executing arbitrary commands on the target host
through malicious email.  The following example was given by Jim Hebert
<jhebert@jhebert.cx> in his post to BugTraq:


echo 'setenv WWW www.securityfocus.com' >> .tcshrc
source .tcshrc
pine
(view a link I mailed myself like: http://$WWW )
it works, I visit securityfocus.