linuxdcpp-team team mailing list archive
-
linuxdcpp-team team
-
Mailing list archive
-
Message #08462
[Bug 1502650] Re: DC++ 0.851 - Arbitrary code execution
Exactly my thoughts poy.
Like the recent rar exploit that's been in the headlines absolutely unnecessarily; if you click a malicious link or download and install a malicious executable yourself, well, it has always been the users' responsibility.
Combined the chat link with unicode quirks can rather be called dangerous but that needs a fix somewhere else.
--
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1502650
Title:
DC++ 0.851 - Arbitrary code execution
Status in DC++:
New
Bug description:
Details and PoC:
http://kacperrybczynski.com/research/dcpp_851_arbitrary_code_execution/
By supplying an UNC path in the *.dcext plugin file or main/pm hub
chat, a remote file will be automatically downloaded, which can result
in arbitrary code execution.
To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1502650/+subscriptions
References