BearShare Directory Traversal Issue Resurfaces

From: Aviram Jenik (aviramat_private)
Date: Thu Oct 03 2002 - 13:12:31 PDT

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Predefined Restriction Tables Allow Calls to International Operator"

Previous message: Matt Zimmerman: "Cisco Secure Content Accelerator vulnerable to SSL worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  BearShare Directory Traversal Issue Resurfaces
------------------------------------------------------------------------

Article reference:
http://www.securiteam.com/windowsntfocus/6D0010A5PU.html


SUMMARY

A while back BearShare 2.2.2 was  
<http://www.securiteam.com/windowsntfocus/5SP0P2K40U.html> reported to
have a directory traversal vulnerability in it. This issue was fixed by
the company, now a different variant of the same issue seems to have
resurfaced, allowing a remote attacker to view any file he desires by
issuing a specially crafted HTTP request.

Despite a correction attempt in part of the vendor, the updated version
is still vulnerable.

DETAILS

Vulnerable systems:
 * BearShare version 4.0.5
 * BearShare version 4.0.6 (second variant)


Vendor response:
"The fix for the directory traversal issue you reported to us has been
released as part of BearShare 4.0.6. All users will be notified by the
application itself that a new version is available."

Workaround:
Users that do not upgrade are recommend to deactivate the built in
personal web server by choosing Setup->Uploads and un-checking the
"Activate the built in personal web server" check box.

Example (first variant):
Issuing the following request:

http://127.0.0.1:6346/%5c..%5c..%5c..%5cwindows%5cwin.ini

Would translate into:
http://127.0.0.1:6346/\..\..\..\windows\win.ini

Returning the win.ini file.

Second variant:
Following the release of BearShare version 4.0.6, Gluck has informed us
that this version is still vulnerable to a simple variant of the attack
which indicates bearshare has not done a good job of fixing the problem.
This time issuing the following request would work:

http://127.0.0.1:6346/%5c..%5c..%5c..%5cwindows%5cwin%2eini



The information has been provided by  <mailto:gluckat_private>
Gluck 
and  <mailto:marioat_private> Mario Solares.


--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

Know that you're safe:
http://www.AutomatedScanning.com

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Predefined Restriction Tables Allow Calls to International Operator"
Previous message: Matt Zimmerman: "Cisco Secure Content Accelerator vulnerable to SSL worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 09:59:53 PDT