[10180] in bugtraq
Re: ICQ Webserver bug
daemon@ATHENA.MIT.EDU (Frank Dekervel)
Mon Apr 12 16:26:28 1999
Date: Sat, 10 Apr 1999 20:45:56 +0200
Reply-To: Frank Dekervel <kervel@SVENNIEBOY.TERBANK.KOTNET.ORG>
From: Frank Dekervel <kervel@SVENNIEBOY.TERBANK.KOTNET.ORG>
X-To: Kaven Rousseau <rousseau@GLOBETROTTER.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <4.1.19990408192959.009c0760@globetrotter.qc.ca>
humm,
i d like to add one last thing to this according to me much too long
thread. (seems some writers ain't thinking about the cause)
if you have a look at the pseudocode below, which i suspect mirabilis to
use, you ll find thousands of ways to exploit icq.
fread(my_socket,"%s %s %s", getword, url, httpversion);
/// if you only feed two or one word, it 'dumps core', gpf under windoze
change the slashes in url to backslashes;
url = "c:\program files\icq\webroot_dir\" + url;
/// yes, this is the '../../../../' bug ...
open(fd,url);
read(fd,buffer);
write(socket,buffer);
close(socket);
i think its this because i made small webserver earlier to see common
bugs. i checked on the net, and the dynamic server of francois piete
(known for delphi components) and various shareware servers, or remote
admin modules for eg. proxy servers are vulnerable.
greetz,
kervel
(kervel@svennieboy.terbank.kotnet.org)
