Command injection through URL in Pidgin
John Houwer
john.houwer at gmail.com
Sun Jun 9 09:48:40 EDT 2013
Hello,
I'm using Pidgin (2.10.7-r1 (gentoo linux) this should be the newest
release). I found a flaw in the handling of URLs.
If I click on a URL within a message, it gets executed through /bin/sh! The
Shell Commands don't get escaped!
Examples:
http://example.org/$(xterm)
opens a xterm (linux)
http://example.org/$(touch<tab>/tmp/ownage)
Creates the File /tmp/ownage! If you use a <space> the URL will stop. If
you use a <tab> you can inject what you want to.
In preferences the browser is set to "desktop default".
I think this is a major concern. The user needs to click on the link, but
you know how it is nowadays. ;)
Please inform me about when you plan to fix this asap.
thx
regards John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130609/ca78aa4d/attachment.html>
More information about the security
mailing list