[10101] in bugtraq
security hole in ICQ-Webserver
daemon@ATHENA.MIT.EDU (Jan Vogelgesang)
Tue Apr 6 13:28:52 1999
Date: Mon, 5 Apr 1999 23:50:56 +0200
Reply-To: Jan Vogelgesang <wj.Vogelgesang@SAARBRUECKEN.NETSURF.DE>
From: Jan Vogelgesang <wj.Vogelgesang@SAARBRUECKEN.NETSURF.DE>
To: BUGTRAQ@NETSPACE.ORG
Hi,
Some days ago i've read a message here in Bugtraq from Ronald A. Jarell about a vulnerability in the ICQ-Webserver . I tried to reproduce this vulnerability with my computer (win95) and find out the following:
-sending any non-http stuff or even a simple "get" (without any other characters however) crashes the ICQ-Client. This works with ICQ99a V2.13 Build 1700, but not with Build 1547.
Moreover, there is a much bigger hole in the ICQ-Webserver: If you have the webserver enabled, everyone can access your complete(!) harddisk with a simple webbrowser.
When your page is activated and you are online, each request to "http://members.icq.com/<your ICQ-Number>" will be redirected to your computer. Thus, every visitor get to know your current ip.
Nevertheless, only the files in "/ICQ99/Hompage/<your ICQ-Number>/personal" should be accessible. But a visitor can "climb up" the directory tree with some dots, e.g. "http://<yourIP>/...../a2.html" would present him the file "a2.html" in the "ICQ99" directory. With some more dots, he would come to the root-directory of your harddisk.
But there is one barrier: The ICQ-Webserver only delivers files with a ".html" extension. After some experiments I found a way to trick it out: I add ".html/" to the URL and the Webserver sends every file I request. For instance, "http://<yourIP>/............./config.sys" won't work, but "http://<yourIP>/.html/............./config.sys" would.
I have test this both with Build 1700 and with Build 1547.
In my opinion, this is a significant security problem, because password files or even the registry in the windows directory can be read.
I warned Mirabilis about it and hope they will informe the ICQ-community.
sorry for my poor english...
Jan Vogelgesang
