Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability

Paul Aurich paul at
Fri Jul 22 01:30:59 EDT 2011

On 2011-07-21 16:33, James Burton wrote:
> Thanks for the prompt replies.

Thank you for reporting this.

> Eion's suggestion of giving the option to show file in explorer would
> definitely prevent file:// being abused to cause code execution, but it
> wouldn't fix the root cause of the issue. The fact is every Windows
> system has a many URL protocol handlers installed - any of which has the
> potential for abuse. I merely chose file:// because it was the most
> obvious to demonstrate.

Yep, though I believe there have been a number of shell vulnerabilities
such that even viewing the file lead to exploitation -- I still think
this is the appropriate solution.

Pidgin currently has two types of URI handlers:
   1) URIs handled explicitly by Pidgin.
      These currently include http, https, ftp, gopher (side note:
Really!?), mailto, and file.  The first five invoke the user's browser
(http "open" handler) via ShellExec.  file, as we know, can be abused,
so I think changing this to show the file in Explorer is the appropriate
resolution here.

   2) All URI schemes under HKCR.  These are explicitly passed to the
URI handler (same code as first five in #1), in essence, passing the
buck off to the user's web browser.

There have been security issues in the interaction between the browser
(Firefox being the one I recall) and Windows when it comes to URL
handling, so perhaps we should still reconsider registering all classes
handled by Windows, so that Pidgin is not a vector for exploitation of
browser security issues.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the security mailing list