[10136] in bugtraq
security hole (READ AS: security chasm) in ICQ-Webserver
daemon@ATHENA.MIT.EDU (DaChronic)
Thu Apr 8 15:19:24 1999
Date: Thu, 8 Apr 1999 00:00:47 -0500
Reply-To: DaChronic <d@CHRONIC.ORG>
From: DaChronic <d@CHRONIC.ORG>
To: BUGTRAQ@NETSPACE.ORG
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aleph,
Sorry about the html.
Thanx
- -SNIP!-
>Moreover, there is a much bigger hole in the ICQ-Webserver: If you
have the webserver
>enabled, everyone can access your complete(!) harddisk with a simple
webbrowser.
>When your page is activated and you are online, each request to
>"http://members.icq.com/<your
>ICQ-Number>" will be redirected to your computer. Thus, every visitor
get to know your
>current ip.
>Nevertheless, only the files in "/ICQ99/Hompage/<your
ICQ-Number>/personal" should be
>accessible. But a visitor can "climb up" the directory tree with some
dots, e.g. "http://
><yourIP>/...../a2.html" would present him the file "a2.html" in the
"ICQ99" directory. With
>some more dots, he would come to the root-directory of your harddisk.
>But there is one barrier: The ICQ-Webserver only delivers files with
a ".html" extension.
>After some experiments I found a way to trick it out: I add ".html/"
to the URL and the
>Webserver sends every file I request. For instance, "http://
><yourIP>/............./config.sys" won't work, but "http://
><yourIP>/.html/............./config.sys" would.
>I have test this both with Build 1700 and with Build 1547.
- -SNIP!-
So speaketh Jan Vogelgesang
and
So spake I:
I can confirm this with Win9x but not with WinNT 4.0 sp3 and hotfixes
nor sp4 (can anyone else?). Furthermore, When you download someone's
user.dat or system.dat, IT WILL CORRUPT their registry or so their
"win popup" will tell them. This was successful twice on 95 and 98,
however it was not on NT.
- - -d0c
d0c70r d4chr0n1c (d0c) of http://chronic.org -CONTACTS-
ICQ# 182533 <---- HEH!, EGN# 7278, and/ or mailto:d@chronic.org .
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2 for non-commercial use <http://www.pgp.com>
Comment: PGP ENCRYPTED / SIGNED MAIL PREFERRED
iQA/AwUBNww3/0LHWmBTEtAREQKcvwCfbmNv/RCfb4X2xw0T1dx2m9CIuuAAnRQ5
1/qslQgb7N83mL8IRjympXlV
=J7hE
-----END PGP SIGNATURE-----
