Command injection through URL in Pidgin

John Houwer john.houwer at
Sun Jun 9 09:48:40 EDT 2013


I'm using Pidgin (2.10.7-r1 (gentoo linux) this should be the newest
release). I found a flaw in the handling of URLs.

If I click on a URL within a message, it gets executed through /bin/sh! The
Shell Commands don't get escaped!

opens a xterm (linux)$(touch<tab>/tmp/ownage)
Creates the File /tmp/ownage! If you use a <space> the URL will stop. If
you use a <tab> you can inject what you want to.

In preferences the browser is set to "desktop default".

I think this is a major concern. The user needs to click on the link, but
you know how it is nowadays. ;)

Please inform me about when you plan to fix this asap.


regards John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security mailing list