Bug #135
Check password before initializing libpurple
| Status: | Closed | Start: | 2009-08-16 | |
|---|---|---|---|---|
| Priority: | Urgent | Due date: | 2009-08-16 | |
| Assigned to: |  Romain Bignon |
% Done: | 100% |
|
| Category: | Core | Spent time: | 1.00 hour | |
| Target version: | 1.0 | Estimated time: | 2.00 hours | |
| libpurple: |
Description
At connection, when user sent USER, PASS and NICK commands, minbif initializes libpurple, which sends some notices to user, before checking password!
13:04:34 . Irssi: Connection to localhost established 13:04:34 !ip6-localhost Minbif-IRCd initialized, please go on 13:04:35 !ip6-localhost [WARNING] [dbus] Failed to get connection: /usr/bin/dbus-launch terminated abnormally with the following error: Autolaunch error: X11 initialization failed. 13:04:35 !ip6-localhost [WARNING] [plugins] /usr/lib/purple-2/libsametime.so has a prefs_info, but is a prpl. This is no longer supported. 13:04:35 !ip6-localhost [WARNING] [plugins] /usr/lib/purple-2/liboscar.so is not usable because the 'purple_init_plugin' symbol could not be found. Does the plugin call the PURPLE_INIT_PLUGIN() macro? 13:04:35 !ip6-localhost [WARNING] [plugins] /usr/lib/purple-2/libjabber.so is not usable because the 'purple_init_plugin' symbol could not be found. Does the plugin call the PURPLE_INIT_PLUGIN() macro? 13:04:35 !ip6-localhost *** Notice -- jabber0(1/4): Connecting 13:04:35 !ip6-localhost *** Notice -- irc0(1/1): Connecting 13:04:35 . ERROR Closing Link: Incorrect password 13:04:35 . Irssi: Connection lost to localhost
This is a little “vulnerability”, because before being existed, user knows what accounts user have. And potentially, libpurple tries to connect to accounts before minbif checks password.
History
Updated by Romain Bignon 7 months ago
- Due date set to 2009-08-16
- Status changed from New to Closed
- Assigned to set to Romain Bignon
Updated by Romain Bignon 7 months ago
- % Done changed from 0 to 100