*** This bug is a security vulnerability ***
Private security bug reported:
">" symbol at the end of a username gets stripped off while being
displayed in public/private chat. So this will allow impersonation of
users on chat. Check the attached screenshot. By connecting to the hub
with the username "PtokaX>" (NMDC), all my public/private chat messages
will appear to dcplusplus users as if they are from "PtokaX" itself.
Version: 0.843
Hub software used for testing: PtokaX 0.5.0.2
OS: Windows XP SP3
** Affects: dcplusplus
Importance: Undecided
Status: New
** Attachment added: "Screenshot of how crafted messages are shown"
https://bugs.launchpad.net/bugs/1390988/+attachment/4256848/+files/Screen%20Shot%202014-11-10%20at%202.53.03%20am.png
--
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1390988
Title:
Username spoofing in chat
Status in DC++:
New
Bug description:
">" symbol at the end of a username gets stripped off while being
displayed in public/private chat. So this will allow impersonation of
users on chat. Check the attached screenshot. By connecting to the hub
with the username "PtokaX>" (NMDC), all my public/private chat
messages will appear to dcplusplus users as if they are from "PtokaX"
itself.
Version: 0.843
Hub software used for testing: PtokaX 0.5.0.2
OS: Windows XP SP3
To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1390988/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~linuxdcpp-team
Post to : linuxdcpp-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~linuxdcpp-team
More help : https://help.launchpad.net/ListHelp
