Title: KICQ Remote Arbitrary Command Execution Vulnerability
Severity: HIGH
Description:
KICQ is an ICQ-compatible interactive messaging client for Unix.
Due to an insecurely-structured call to system(), versions of KICQ are vulnerable to remote execution of arbitrary commands embedded in URLs.
A maliciously-composed URL containing shell metacharacters and shell commands can be sent in an instant message by an attacker.
When the KICQ user clicks this link, the hostile commands contained in the URL will execute with the privilege level of the webserver.
In addition to executing the attacker's command, the user's default web browser may also open normally, providing no indication to the target user that the clicked URL was malicious. If the URL is designed properly, it may not be completely displayed to the user, further concealing its hostile nature.
Affected Products:
- KICQ KICQ 1.0.0
References:
- KICQ Development Team: KICQ Website
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
