Mandrake Linux Security Advisory : xchat (MDKSA-2000:039-1)
High Nessus Plugin ID 61832
SynopsisThe remote Mandrake Linux host is missing a security update.
DescriptionXChat 1.3.9 and later allow users to right-click on a URL appearing in an IRC discussion and select the 'Open in Browser' option. To open the URL in a browser, XChat passes the command to /bin/sh. This allows a malicious URL the ability to execute arbitrary shell commands as the user that is running XChat. This update changes the functionality of XChat to bypass the shell and execute the browser directly. Thanks go to Red Hat for providing the patch.
XChat 1.2.1 is vulnerable as well, so an update for 7.0 is now available.
SolutionUpdate the affected xchat package.