Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability
salinasv at gmail.com
Thu Jul 21 14:21:21 EDT 2011
On Thu, Jul 21, 2011 at 1:01 PM, Daniel Atallah
<daniel.atallah at gmail.com> wrote:
> On Wed, Jul 20, 2011 at 23:58, James Burton
> <james.burton at insomniasec.com> wrote:
>> Security at Pidgin.im,
>> Please find the advisory detailing the vulnerability attached to this
>> Please keep in touch regarding a fix so I can include the relevant
>> information in my advisory which I intend to release to the public in a
>> month from now. If more time is required please let me know.
>> Warm Regards
> Thanks for the report.
> The functionality that handles "file://" URIs is intended to handle
> links that are generated by Pidgin itself (links to files after file
> transfer is complete).
> I guess a solution could be to be to make it so that only handles
> file:// URIs that we generate - I'm not sure how hard that's going to
> be to implement.
> Another option would be to prompt the user to confirm that they want
> to open the URI.
I don't think that prompting the user to confirm an action started by
him is a good idea (It comes to my head windows asking you if you
really want to execute the program you just double-clicked).
I think that can be handled by the imhtml renderer.
> I wasn't able to find any good documentation that outlined how others
> have dealt with this type of thing - are you aware of any such
> security mailing list
> security at pidgin.im
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Q: What is the most annoying thing on usenet and in e-mail?
More information about the security