linuxdcpp-team team mailing list archive

[tunnelshade <1390988@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Private security bug reported:

">" symbol at the end of a username gets stripped off while being
displayed in public/private chat. So this will allow impersonation of
users on chat. Check the attached screenshot. By connecting to the hub
with the username "PtokaX>" (NMDC), all my public/private chat messages
will appear to dcplusplus users as if they are from "PtokaX" itself.

Version: 0.843
Hub software used for testing: PtokaX 0.5.0.2
OS: Windows XP SP3

** Affects: dcplusplus
     Importance: Undecided
         Status: New

** Attachment added: "Screenshot of how crafted messages are shown"
   https://bugs.launchpad.net/bugs/1390988/+attachment/4256848/+files/Screen%20Shot%202014-11-10%20at%202.53.03%20am.png

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1390988

Title:
  Username spoofing in chat

Status in DC++:
  New

Bug description:
  ">" symbol at the end of a username gets stripped off while being
  displayed in public/private chat. So this will allow impersonation of
  users on chat. Check the attached screenshot. By connecting to the hub
  with the username "PtokaX>" (NMDC), all my public/private chat
  messages will appear to dcplusplus users as if they are from "PtokaX"
  itself.

  Version: 0.843
  Hub software used for testing: PtokaX 0.5.0.2
  OS: Windows XP SP3

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1390988/+subscriptions