linuxdcpp-team team mailing list archive

[maksis <maksis@xxxxxxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Private security bug reported:

When DC++ receives a STA message with code 25, it adds the command in to
the list of forbidden outgoing commands. However, the client doesn't
check that the STA message originates from the hub, so any other client
could send malicious STA messages and prevent DC++ from sending any
outgoing command via the hub. The fix is rather trivial.

I generally dislike the way how code 25 is handled, as DC++ doesn't
notify the user when it blocks a command and neither when an outgoing
command is disregarded right before sending.

** Affects: dcplusplus
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1189975

Title:
  Forbidden commands in ADC

Status in DC++:
  New

Bug description:
  When DC++ receives a STA message with code 25, it adds the command in
  to the list of forbidden outgoing commands. However, the client
  doesn't check that the STA message originates from the hub, so any
  other client could send malicious STA messages and prevent DC++ from
  sending any outgoing command via the hub. The fix is rather trivial.

  I generally dislike the way how code 25 is handled, as DC++ doesn't
  notify the user when it blocks a command and neither when an outgoing
  command is disregarded right before sending.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1189975/+subscriptions