[Pidgin] #8252: Pidgin nickname html insertion
Pidgin
trac at pidgin.im
Mon Jan 26 11:23:18 EST 2009
#8252: Pidgin nickname html insertion
--------------------------+-------------------------------------------------
Reporter: jdstrand | Owner: lschiere
Type: defect | Status: new
Component: unclassified | Version: 2.5.2
Keywords: | Launchpad_bug:
--------------------------+-------------------------------------------------
The following bug was reported in the Ubuntu bug tracking system
(https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/299048):
Binary package hint: pidgin
The vulnerability is caused because when other user changes the nickname
or sends a nudge, in this moment if the nickname have any html tags, the
program interprets this tag and cause it to run the code.
But this vulnerability is very low because don't allows execute any html
code, only some..
eg : the vulnerability allows execute simple tags.. but no javascript code
eg true : <a href="http://www.google.com.ar">Text to be displayed</a>
eg false : <script>alert(1)</script>
finally.. is important repair this bug, because somewhere user can make
malformed link and steal cookies..
ProblemType: Bug
Architecture: i386
DistroRelease: Ubuntu 8.10
ExecutablePath: /usr/bin/pidgin
Package: pidgin 1:2.5.2-0ubuntu1
ProcEnviron:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
LANG=es_AR.UTF-8
SHELL=/bin/bash
SourcePackage: pidgin
Uname: Linux 2.6.27-7-generic i686
--
Ticket URL: <http://developer.pidgin.im/ticket/8252>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list