[Pidgin] #15276: Release Notification plugin only uses HTTP; proxy bypass

Pidgin trac at pidgin.im
Wed Aug 22 21:51:27 EDT 2012 

#15276: Release Notification plugin only uses HTTP; proxy bypass
--------------------+-------------------------------------------------------
Reporter:  ioerror  |        Type:  defect  
  Status:  new      |   Component:  plugins 
 Version:  2.10.6   |    Keywords:  security
--------------------+-------------------------------------------------------
 == Summary ==

 The release notification plugin only uses HTTP; it also appears to bypass
 the proxy settings by leaking a DNS query to the local network.

 == Steps to reproduce ==

 Enable "Tor/Privacy proxy" and configure it to use Tor.
 Enable Release Notification plugin.

 Shortly after in the debug log, I see the following:

 {{{
 (18:36:06) dnsquery: Performing DNS lookup for pidgin.im
 (18:36:06) prefs: /plugins/gtk/relnot/last_check changed, scheduling save.
 (18:36:06) prefs: /pidgin/plugins/loaded changed, scheduling save.
 (18:36:07) plugins: Unloading plugin Release Notification
 (18:36:07) prefs: /pidgin/plugins/loaded changed, scheduling save.
 (18:36:10) dnsquery: IP resolved for pidgin.im
 (18:36:10) proxy: Attempting connection to 74.63.8.88
 (18:36:10) proxy: Connecting to pidgin.im:80 with no proxy
 (18:36:10) proxy: Connection in progress
 (18:36:10) proxy: Connecting to pidgin.im:80.
 (18:36:10) proxy: Connected to pidgin.im:80.
 (18:36:10) util: request constructed
 (18:36:10) util: Response headers: 'HTTP/1.0 200 OK
 X-Powered-By: PHP/5.3.3-7+squeeze9
 Content-Type: text/plain
 Content-Length: 0
 Connection: close
 Date: Thu, 23 Aug 2012 01:36:10 GMT
 Server: lighttpd/1.4.28
 }}}

 == Expected results ==
 I expect SSL/TLS to be used when checking for updates; an attacker may
 simply deny these HTTP requests and deny me critical updates. Furthermore,
 I expected my proxy to be used and for DNS leaks to not occur.

 == Actual results ==

 HTTP is used.
 Apparently, DNS queries are leaked and the configured proxy is bypassed.

 == Regression ==
 None as far as I can tell.

 == Notes ==
 The "Tor/Privacy Proxy" bug is #11110

-- 
Ticket URL: <http://developer.pidgin.im/ticket/15276>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list