|
Quassel IRC CTCP Command Injection Vulnerability
|
|
Secunia Advisory:
|
SA32470
|
|
|
Release Date:
|
2008-10-30
|
|
Last Update:
|
2008-12-23
|
|
Popularity:
|
802 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Hijacking
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Quassel IRC 0.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2008-5657
|
|
Description:
Wouter Coekaerts has reported a vulnerability in Quassel IRC, which can be exploited by malicious people to hijack IRC connections.
The vulnerability is caused due to the application not properly handling quoted newline characters when processing CTCP requests. This can be exploited to inject newlines into the user's response, which can be used to e.g. execute IRC commands in the context of the user's IRC session.
The vulnerability is reported in versions prior to 0.3.0.3.
Solution:
Update to version 0.3.0.3.
Provided and/or discovered by:
Wouter Coekaerts
Changelog:
2008-12-23: Added CVE reference.
Original Advisory:
Quassel IRC:
http://quassel-irc.org/node/89
Wouter Coekaerts:
http://wouter.coekaerts.be/site/security/quassel-ctcp
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
