On Wed, Sep 09, 1998 at 04:19:28PM -0700, Jon Beaton wrote: > Hi, > > The iChat (http://www.ichat.com/) ROOMS server runs as 'nobody', and on > port 4080 as default. From what I've noticed, it just uses http, and has > a bug which lets following /../../../ be ran on the URL using any web > browser. For example, something like: > > http://chat.server.com:4080/../../../etc/passwd They (ichat) know about this problem, and have fixed it in versions greater than 3.00. It's a pretty stupid problem to have in the first place, though. What really irked me about this when I found out about it was this: 1) I found out about it as it was being exploited by an I-chat technical support representative, who was using it to read certain configuration files on my machine. He wasn't necessarily being malicious, but he _was_ accessing files on my machine, using a security flaw in their software, without my consent. Not exactly an experience that gives one a "warm/fuzzy feeling". 2) They released a version 3.00 for linux, but did not release a fixed version for linux. So, users running it on linux were forced to either stop using it altogether, or live with the problem. The third possibility, running it in a protected chrooted environment, is what I chose for the period of time that I needed to continue running the software. I figured that if they had this kind of bug, who knows how many exploitable buffer overflows there are. -SteveK -- Steve Kann - Horizon Live Distance Learning - 841 Broadway, Suite 502 Personal:stevekat_private Business:stevekat_private (212) 533-1775 Non voglio il vostro prodotto o servizio, e non voglio i vostri soldi Pertanto, non mandatemi alcuna informazione a riguardo.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:46 PDT