On Fri Sep 24 1999 Rodolfo García Peñas wrote: //Hi, // //The irc client Kvirc has this bug: // //<kix> !foo ../../../../../../../etc/passwd //[...] Yes...it is a "real" bug of the 0.9.0 version of KVIrc. Anyway, it is not so easy to download someone's /etc/passwd. First he must have the "Listen to !nick <soundname> requests" option enabled (it is disabled by default). Second , the "offending" user must know where is located the kvirc "local directory" on the victim's machine to be able to place the right path to /etc/passwd. Only version 0.9.0 of KVIrc is vulnerable to this attack. It will be removed from the KVIrc ftp archive as soon as possible. If you are still using KVIrc 0.9.0 you have the following solutions: 1. Disable the "Listen to !nick <soundname> requests." option in the "Sound" tab of the Misc options dialog. (Or better , do not enable it) 2. Get the latest KVIrc sources from http://www.kvirc.org (The latest public release is beta2) or from the anonymous cvs (see http://www.kvirc.org/cvs.html). Szymon Stefanek Author of KVIrc
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:39 PDT