[Pidgin] #12456: Exploit for AIM Protocol - Ghosting
Pidgin
trac at pidgin.im
Tue Aug 24 14:10:24 EDT 2010
#12456: Exploit for AIM Protocol - Ghosting
-----------------------------------+----------------------------------------
Reporter: Wrycu | Owner: MarkDoliner
Type: plugin request | Status: new
Milestone: | Component: AIM
Version: 2.7.2 | Resolution:
Keywords: ghosting chat exploit |
-----------------------------------+----------------------------------------
Comment(by MarkDoliner):
I'm extremely busy and haven't had time to look at this.
If what you say is true then I think the most appropriate fix is for
either libpurple/protocols/oscar/family_chat.c:incomingim_ch3 or
libpurple/protocols/oscar/oscar.c:purple_conv_chat_incoming_msg to make
sure the sender is in the room before calling serv_got_chat_in(). Even
better would be to specifically ignore the malformed join packets.
I'm concerned about putting this check in libpurple, because it seems
possible that some protocols allow for people not in the room to send a
message into the room.
--
Ticket URL: <http://developer.pidgin.im/ticket/12456#comment:6>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list