security hole (READ AS: security chasm) in ICQ-Webserver

From: DaChronic (dat_private)
Date: Wed Apr 07 1999 - 22:00:47 PDT

Next message: Leszek Gerwatowski: "Re: BOA was: An issue with Apache on Debian"

Previous message: Casper Dik: "Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight"
Next in thread: sven@MSC-MEDIA.COM: "Re: security hole (READ AS: security chasm) in ICQ-Webserver"
Reply: sven@MSC-MEDIA.COM: "Re: security hole (READ AS: security chasm) in ICQ-Webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aleph,
Sorry about the html.
Thanx

- -SNIP!-

>Moreover, there is a much bigger hole in the ICQ-Webserver: If you
have the webserver
>enabled, everyone can access your complete(!) harddisk with a simple
webbrowser.
>When your page is activated and you are online, each request to
>"http://members.icq.com/
>ICQ-Number>" will be redirected to your computer. Thus, every visitor
get to know your
>current ip.
>Nevertheless, only the files in "/ICQ99/Hompage/<your
ICQ-Number>/personal" should be
>accessible. But a visitor can "climb up" the directory tree with some
dots, e.g. "http://
><yourIP>/...../a2.html" would present him the file "a2.html" in the
"ICQ99" directory. With
>some more dots, he would come to the root-directory of your harddisk.
>But there is one barrier: The ICQ-Webserver only delivers files with
a ".html" extension.
>After some experiments I found a way to trick it out: I add ".html/"
to the URL and the
>Webserver sends every file I request. For instance, "http://
><yourIP>/............./config.sys" won't work, but "http://
><yourIP>/.html/............./config.sys" would.
>I have test this both with Build 1700 and with Build 1547.
- -SNIP!-

So speaketh Jan Vogelgesang
and
So spake I:

 I can confirm this with Win9x but not with WinNT 4.0 sp3 and hotfixes
nor sp4 (can anyone else?). Furthermore, When you download someone's
user.dat or system.dat, IT WILL CORRUPT their registry or so their
"win popup" will tell them. This was successful twice on 95 and 98,
however it was not on NT.

- - -d0c

d0c70r d4chr0n1c (d0c) of http://chronic.org -CONTACTS-
ICQ# 182533 <---- HEH!, EGN# 7278, and/ or  mailto:dat_private .

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2 for non-commercial use <http://www.pgp.com>
Comment: PGP ENCRYPTED / SIGNED MAIL PREFERRED

iQA/AwUBNww3/0LHWmBTEtAREQKcvwCfbmNv/RCfb4X2xw0T1dx2m9CIuuAAnRQ5
1/qslQgb7N83mL8IRjympXlV
=J7hE
-----END PGP SIGNATURE-----

Next message: Leszek Gerwatowski: "Re: BOA was: An issue with Apache on Debian"
Previous message: Casper Dik: "Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight"
Next in thread: sven@MSC-MEDIA.COM: "Re: security hole (READ AS: security chasm) in ICQ-Webserver"
Reply: sven@MSC-MEDIA.COM: "Re: security hole (READ AS: security chasm) in ICQ-Webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:47 PDT