Command injection through URL in Pidgin
john.houwer at gmail.com
Sun Jun 9 09:48:40 EDT 2013
I'm using Pidgin (2.10.7-r1 (gentoo linux) this should be the newest
release). I found a flaw in the handling of URLs.
If I click on a URL within a message, it gets executed through /bin/sh! The
Shell Commands don't get escaped!
opens a xterm (linux)
Creates the File /tmp/ownage! If you use a <space> the URL will stop. If
you use a <tab> you can inject what you want to.
In preferences the browser is set to "desktop default".
I think this is a major concern. The user needs to click on the link, but
you know how it is nowadays. ;)
Please inform me about when you plan to fix this asap.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security