I also noticed that this works not just for "quit", but for any misunderstood command. Eddie >From: "Ronald A. Jarrell" <jarrellat_private> >Reply-To: "Ronald A. Jarrell" <jarrellat_private> >To: BUGTRAQat_private >Subject: icq DOS / possible "stupid user" vulnerability. >Date: Mon, 29 Mar 1999 01:07:18 -0500 > >Ok, I was a bit surprised when, in playing with the new ICQ99a build 1700 v2.13 >client (which I believe is the first publicly distributed one of the >99 family), I turned on the "Activate my home page" feature, and turned >my laptop into a web server... > >Complete with a file server that allows by default anything in the >"program files\icq\homepage\root\YOUR#\files" folder to be requested. >Even set up a guest book, chat service, etc... > >After getting over being astonished (yea, they said "turning this on >might increase people's access to your machine, and tell them your >ip address" - of course it will. You're setting up a bloody web server >you idiots. A bad one at that.) I naturally started doing some poking. > >Telnet to your port 80, and enter some non http gibberish. I tried >"quit<cr>" for grins. Blam. Down goes the ICQ client with a GPF. >Got someone else to turn theirs on, and sure enough, managed to shoot >him down too. > >I warned Mirabilis about it. Folks at institutions that worry about >such things, but let their employees run ICQ might want to be aware >that said employees might well be running web servers now and not >evening know it. On you ICQ contact list, if they're on it, said >users show up with a little house next to their name. > >-- >Ron Jarrell >VA Tech Computing Center Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:01 PDT