COMMAND

    kicq

SYSTEMS AFFECTED

    kicq

PROBLEM

    Marc Roessler  found following.   There is  some security  related
    problem with kicq.  The  authors were contacted and provided  with
    a suggestion for a patch which should be available soon.  Marc did
    not find anything on the archive on this, so here we go.

    kicq  is  a  free   icq  client  clone.   Unfortunately   received
    (untrusted!) URLs are passed to the specified webbrowser (standard
    is kfmclient)  without any  sanity checking  using system().   The
    only user action  needed for this  is to click  "Open" in a  popup
    menu.

    He tried  with version  1.0.0, it  is vulnerable  for sure.  Other
    versions (such as  2.0.0b1) seem to  be vulerable as  well, though
    he did not compile them to try.

    The problem is in file kicq/utils/kwebbrowser.cpp.  For example:

        system(QString("kfmclient openURL '" + URL + "' &").latin1());

    Other browsers  (netscape, lynx,  wget) are  called similar,  this
    needs to need to be patched as well.

    Exploiting is  trivial.   By adding  shell metacharacters  such as
    "'", "&" and ";" it is possible to send commands to the shell.  If
    done creatively, the webbrowser will come up nevertheless and  the
    user will not become suspicious.

    The worst  part is  that the  shell stuff  can be  hidden from the
    user.  The URL display  field will display 123 characters  (number
    may vary).  If the URL is longer only the last 123 characters will
    be visible.  Spaces count as characters as well!

    The following URL will be visible as "http://www.test.com/" to the
    user (dots are to be replaced by spaces):

        http://www.test.com/test.html'&xterm&'truehttp://www.test.com..............................................................

    When opened by  choosing "Open URL"  in the popup  menu, kfmclient
    will go  and fetch  http://www.test.com/test.html, while  an xterm
    pops up on the desktop.

    One  little  try  shows  that  licq  is  vulerable too however the
    complete url will be visible to the user.

    Kaim  is  also  similarly  vulnerable;  though because it's an AIM
    client the URL has  to be crafted as  an HTML link.   Kaim doesn't
    show you the URL  before you click on  it, though it does  let you
    copy it without going to it.

SOLUTION

    This has been corrected in the current CVS, which will be the base
    for the next release of KICQ.