-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
The hostname update plugin, which comes with licq by default, forms a security vulnerability. I've opened a bug report in the sourceforge bugzilla, and I've mentioned it on the licq irc channel, but just to be sure it gets through to the developers I'm sending it to the list as well. Sorry if you are already working on it, but I haven't heard anything back yet and I think this is Important. So what's the problem? - From Bugzilla, bug ID 594682: Let's say a cracker creates a new ICQ account and sets the alias to the hostname of your favourite remote box (for example the telnet server at your work). The cracker then sends you a message. The plug-in will add the hostname, together with his IP, to /etc/hosts. Now you want to do some work on the remote machine, and you telnet into it. Since /etc/hosts goes before the DNS server in the search for the right IP address, you will actually connect to the crackers box instead. The cracker can then forward the connection to the real box in the standard man-in-the-middle manner, and monitor your activities, steal passwords, etcetera. With this in mind I suggest the hostname update plugin be removed from the licq distribution ASAP. Regards, Lourens, who is not on the list and would like to be CC'd on any replies. - -- GPG public key: http://home.student.utwente.nl/l.e.veen/lourens.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9WtuFvmNyqZHWDvURAvzuAKCDUu2t9ojGbck7EIUHWdfGTklpqgCcDeQE Ze8q9Ga5riESoLy9J9jhuiI= =X+D5 -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code1 _______________________________________________ Licq-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/licq-devel
