[v2.6] znc: NULL pointer dereference (CVE-2014-9403)
The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC before 1.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by adding a channel with the same name as an existing channel but without the leading # character, related to a “use-after-delete” error.
References:
http://seclists.org/oss-sec/2014/q4/1081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9403
CONFIRM: https://github.com/znc/znc/issues/528
(from redmine: issue id 3797, created on 2015-01-27, closed on 2017-09-05)
- Relations:
- parent #3796