CVE-2010-0013

Name of the Vulnerable Software and Affected Versions Pidgin versions 2.6.4 Adium versions 1.3.8

Description A directory traversal issue in the MSN protocol plugin in libpurple allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon request. This issue is related to a problem where an emoticon download request is processed without a preceding text/x-mms-emoticon message announcing the emoticon's availability.

Recommendations For Pidgin version 2.6.4, consider disabling the MSN protocol plugin until a patch is available. For Adium version 1.3.8, restrict access to the MSN emoticon download feature to minimize the risk of exploitation.