MXit PRPL user-supplied file paths

Mark Doliner mark at kingant.net
Sun Jan 6 15:05:34 EST 2013


Chris Wysopal and Veracode found places in our code where we write a
file to the local disk using a filename that partially comes from the
network.  This is dangerous because the filename could potentially
contain something like "../../.bashrc" or "../../../../../etc/passwd"
and we could overwrite something that the user cares about.

This email concerns the two places where the MXit code does this.
Please see the attached patch against the 2.x.y branch.  Am I correct
that some parts of the filename come in from the network?  Do my
changes look like they'll fix the problems?

Next question: Is it possible for a remote user to specify the values
for these variables?  If so, I think we should obtain a CVE for this
and go through the embargoed disclosure process.  But if the values
are specified by the MXit server and not by a remote user then I think
it's fine to commit this to 2.x.y and release at our leisure.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mxit_filename_fixes.diff
Type: application/octet-stream
Size: 2136 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130106/22214539/attachment.obj>


More information about the security mailing list