MXit PRPL user-supplied file paths
Ethan Blanton
elb at pidgin.im
Sun Jan 6 16:35:45 EST 2013
Mark Doliner spake unto us the following wisdom:
> Next question: Is it possible for a remote user to specify the values
> for these variables? If so, I think we should obtain a CVE for this
> and go through the embargoed disclosure process. But if the values
> are specified by the MXit server and not by a remote user then I think
> it's fine to commit this to 2.x.y and release at our leisure.
I believe we need a CVE and embargo even if all of this is generated
by the MXit servers. Why should MXit users trust the MXit servers
implicitly? This is a vulnerability.
Ethan
More information about the security
mailing list