![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
Date: Sat, 3 Mar 2001 15:27:21 -0500
From: Bill Soudan <wes0472@RIT.EDU>
Subject: Re: Security hole in kicq
To: BUGTRAQ@SECURITYFOCUS.COM
On Wed, 14 Feb 2001, Marc Roessler wrote:
> there is some security related problem with kicq.
> The authors were contacted and provided with a suggestion for a patch
> which should be available soon.
> I did not find anything on the archive on this, so here we go.
>
> kicq is a free icq client clone available at http://kicq.sourceforge.net/.
> Unfortunately received (untrusted!) URLs are passed to the specified webbrowser
> (standard is kfmclient) without any sanity checking using system().
> The only user action needed for this is to click "Open" in a popup menu.
>
> I tried with version 1.0.0, it is vulnerable for sure.
> Other versions (such as 2.0.0b1) seem to be vulerable as well,
> though i did not compile them to try.
>
> Details:
>
> The problem is in file kicq/utils/kwebbrowser.cpp. For example:
>
> system(QString("kfmclient openURL '" + URL + "' &").latin1());
>
> Other browsers (netscape, lynx, wget) are called similar, this needs to
> need to be patched as well.
This has been corrected in the current CVS, which will be the base for the
next release of KICQ. I've attached the relevant ChangeLog message.
Special thanks go to Bernhard Rosenbraenzer (bero@redhat.de) for going out
of his way to correct the problem for us!
Thanks,
Bill
---
2000-03-03 Bill Soudan <soudan@kde.org>
Sync with version in kdenonbeta - merge commits by non-kicq
developers from initial checkin until today.
* Makefile.am: merge from kdenonbeta: coolo -
let's give kicq a real messages file
* kicq/contactlist/contactlist.cpp: merge from kdenonbeta:
faure - 0 is NOT a valid QString
* kicq/main/mainwindow.cpp: merge from kdenonbeta: faure -
don't crash on startup
* kicq/utils/kwebbrowser.cpp, kicq/utils/kwebbrowser.h:
merge from kdenonbeta: bero - Fix potential security problem
(people could execute commands by sending malformed URLs)
* kicq/utils/kwebbrowser.cpp: merge from kdenonbeta: bero -
Fix my recent fix
* kicq/utils/kwebbrowser.cpp: merge from kdenonbeta: bero -
Fix wget invocation. Don't ever invoke a browser through a shell,
not even with 'URL' think of the URL ';rm -rf ~/*
* kicq/messageurl/msgwindow.cpp: quote all messages now,
not just latin1 messages (partial merge from dys -
non-latin1 fixes by Stephan Kalichkin...)
* kicq/icqlib/kicqlibmanager.cpp: icq_SetTimeout(0) now
stops timer