MXit PRPL user-supplied file paths

Ethan Blanton elb at
Sun Jan 6 16:35:45 EST 2013

Mark Doliner spake unto us the following wisdom:
> Next question: Is it possible for a remote user to specify the values
> for these variables?  If so, I think we should obtain a CVE for this
> and go through the embargoed disclosure process.  But if the values
> are specified by the MXit server and not by a remote user then I think
> it's fine to commit this to 2.x.y and release at our leisure.

I believe we need a CVE and embargo even if all of this is generated
by the MXit servers.  Why should MXit users trust the MXit servers
implicitly?  This is a vulnerability.


More information about the security mailing list