bug in iChat 3.0 (maybe others)

From: Jon Beaton (jonat_private)
Date: Wed Sep 09 1998 - 16:19:28 PDT

Next message: Mark Gansle: "Re: NT4-SP3 Sequence Prediction"

Previous message: Jay D. Dyson: "Sun Security Bulletin #00174 (ping) and #00175 (mailtool)"
Next in thread: Renzo Toma: "Re: bug in iChat 3.0 (maybe others)"
Reply: Renzo Toma: "Re: bug in iChat 3.0 (maybe others)"
Reply: Steve Kann: "Re: bug in iChat 3.0 (maybe others)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

The iChat (http://www.ichat.com/) ROOMS server runs as 'nobody', and on
port 4080 as default. From what I've noticed, it just uses http, and has
a bug which lets following /../../../ be ran on the URL using any web
browser.  For example, something like:

http://chat.server.com:4080/../../../etc/passwd

will display the passwd file. With this you can view any file on the
system that 'nobody' has access to. I was only able to test this on
version 3.0 of the software, and running on Solaris. I contacted the
company about this, all they said was that if you're using 3.0, you
should upgrade to 3.03 as soon as possible.  I don't even know if this
particular bug is fixed in that version. If you can try this on other
versions and OS's, I'd like to hear about the results.

Thanks,

Jon Beaton
jonat_private
jbx @ Undernet

Next message: Mark Gansle: "Re: NT4-SP3 Sequence Prediction"
Previous message: Jay D. Dyson: "Sun Security Bulletin #00174 (ping) and #00175 (mailtool)"
Next in thread: Renzo Toma: "Re: bug in iChat 3.0 (maybe others)"
Reply: Renzo Toma: "Re: bug in iChat 3.0 (maybe others)"
Reply: Steve Kann: "Re: bug in iChat 3.0 (maybe others)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:42 PDT