oss-sec mailing list archives
CVE request - pidgin MSN arbitrary file upload
From: Paul Aurich <paul () darkrain42 org>
Date: Sat, 02 Jan 2010 13:56:32 -0800
http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html In Fabian's talk, he describes an issue where Pidgin's MSN prpl does not validate the filename received in a request for Pidgin to upload a custom emoticon to a third-party, allowing an attacker to download arbitrary files on the system via directory traversal. This is fixed in source, but no release yet: http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810 -- Paul Aurich
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request - pidgin MSN arbitrary file upload Paul Aurich (Jan 02)
- Re: CVE request - pidgin MSN arbitrary file upload Josh Bressers (Jan 07)
- Re: CVE request - pidgin MSN arbitrary file upload Nico Golde (Jan 07)
- Re: CVE request - pidgin MSN arbitrary file upload Steven M. Christey (Jan 09)
- Re: CVE request - pidgin MSN arbitrary file upload Nico Golde (Jan 07)
- Re: CVE request - pidgin MSN arbitrary file upload Josh Bressers (Jan 07)