Re: Security hole in kicq

[Graham Roff <graham () LICQ ORG>]

> > I tried with version 1.0.0, it is vulnerable for sure.
> > Other versions (such as 2.0.0b1) seem to be vulerable as well,
> > though i did not compile them to try.
> one little try shows that licq (http://licq.org) is vulerable too however the
> complete url will be visible to the user.

I would argue that this is not a vulnerability at all, as the user must
look at the url and then click on "View Url".  Just like email
attachments, it is up to the user to "not be an idiot".  As a user of Licq
(or whatever client) I find it useful to be able to click on a button
instead of cutting/opening netscape/pasting.  I always look at the url to
make sure it's sane.
In any event, as the author of Licq, I do not plan on removing this
functionality.  However, urls are no longer viewed using system() but a
somewhat more secure call to execvp, passing the url as the first
argument.
Licq 1.0.3 will be out shortly with this and other bug fixes.

_____________________________________________________________________
Graham Roff                         groff () engmail uwaterloo ca
University of Waterloo              ICQ #2127503
Computer Engineering                Canada

Nolites tes bastardes carborundorum