MXit PRPL user-supplied file paths

Mark Doliner mark at
Thu Jan 10 04:07:52 EST 2013

(Just responding to a question Andrew had asked a few days ago that I
realized I never answered.)

On Sun, Jan 6, 2013 at 1:30 PM, Andrew Victor <Andrew.Victor at> wrote:
> Since the filename format above always ends in ".png", does that not mean that only PNG files can be created or overwritten?

Probably, yeah.

> The string is not URL-decoded, so if an %00 is inserted it's still not possible to terminate the string before the extension.
> (ie, no ../../../../passwd possible)

Yeah, that sounds right to me.  So the remote user would only be able
to write files with a .png extension.  That's certainly an
improvement, but probably still worth getting a CVE for.

More information about the security mailing list