Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability

[Eion Robb]

On 22 July 2011 06:01, Daniel Atallah <daniel.atallah at gmail.com> wrote:
> The functionality that handles "file://" URIs is intended to handle
> links that are generated by Pidgin itself (links to files after file
> transfer is complete).
Sending file:// links in messages is also very useful too, especially for
network shared files on a corporate system.

> I guess a solution could be to be to make it so that only handles
> file:// URIs that we generate - I'm not sure how hard that's going to
> be to implement.
> Another option would be to prompt the user to confirm that they want
> to open the URI.
Maybe it should only confirm if it's for a file:// uri that wasn't generated
by libpurple?

Perhaps another option is to do a 'show file in explorer' for all file://
uri's so that file:// uris are never executed?

> I wasn't able to find any good documentation that outlined how others
> have dealt with this type of thing - are you aware of any such
> documentation?
I couldn't either.  Best I could find was that browsers will prompt to
confirm for Run and Save like they would for any other type of download.

--
Cheers,
Eion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110722/4c096934/attachment.html>