Headline
CVE-2021-27229: FIX(client): Only allow "http"/"https" for URLs in ConnectDialog · mumble-voip/mumble@e59ee87
Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.
Permalink
Browse files
FIX(client): Only allow “http"/"https” for URLs in ConnectDialog
Our public server list registration script doesn’t have an URL scheme whitelist for the website field.
Turns out a malicious server can register itself with a dangerous URL in an attempt to attack a user’s machine.
User interaction is required, as the URL has to be opened by right-clicking on the server entry and clicking on "Open Webpage".
This commit introduces a client-side whitelist, which only allows “http” and “https” schemes. We will also implement it in our public list.
In future we should probably add a warning QMessageBox informing the user that there’s no guarantee the URL is safe (regardless of the scheme).
Thanks a lot to https://positive.security for reporting the RCE vulnerability to us privately.
- Loading branch information
Showing with 17 additions and 3 deletions.
- +17 −3 src/mumble/ConnectDialog.cpp