[16400] in bugtraq
Re: MDKSA-2000:039 - xchat update
daemon@ATHENA.MIT.EDU (Joey Hess)
Sat Aug 26 02:12:44 2000
Mail-Followup-To: Joey Hess <joey@kitenet.net>,
Signal 11 <signal11@MEDIAONE.NET>,
submit@bugs.debian.org, BUGTRAQ@SECURITYFOCUS.COM,
security@debian.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20000825202204.A2770@kitenet.net>
Date: Fri, 25 Aug 2000 20:22:05 -0700
Reply-To: Joey Hess <joey@KITENET.NET>
From: Joey Hess <joey@KITENET.NET>
X-To: Signal 11 <signal11@MEDIAONE.NET>, submit@bugs.debian.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NEBBKPCNALMEJENIHFBIKEDCCAAA.signal11@mediaone.net>; from
signal11@MEDIAONE.NET on Fri, Aug 25, 2000 at 07:53:24AM -0500
Package: xchat
Version: 1.4.2-1.1
Severity: important
Signal 11 wrote:
> Just to chime in here, for distributions who haven't released an
> update the source for 1.4.2 is available on the author's website here
> for the impatient: http://xchat.linuxpower.org/index.html
>
> I checked, and the latest stable release of debian is not vulnerable
> (See http://www.debian.org/Packages/stable/net/ )
Actually it is. The "netscape (existing)" and "netscape (new window)"
menu entries are safe, but other menu entries (I tried the one for lynx)
do expose the url to the shell.
By the way, a way to exploit this that that's not too blatent, if you
don't mind just DOS-ing the victim, is something like
http://drugs.org/just/say/`yes` (warning, following said url in xchat
will eat all memory you are allowed to eat on your system, and thus
tends to crash poorly-configured linux systems).
--
see shy jo
