[7923] in bugtraq
Re: bug in iChat 3.0 (maybe others)
daemon@ATHENA.MIT.EDU (Renzo Toma)
Thu Sep 10 05:10:13 1998
Date: Thu, 10 Sep 1998 09:56:43 +0200
Reply-To: Renzo Toma <renzo@VERONICA.NL>
From: Renzo Toma <renzo@VERONICA.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <35F70CFF.1957B819@ocol.com>
the host:4080/../../../etc/passwd bug has been fixed in 3.03 (checked for
the solaris 2.5 version)
Cheers,
-Renzo
[original post below]
> The iChat (http://www.ichat.com/) ROOMS server runs as 'nobody', and on
> port 4080 as default. From what I've noticed, it just uses http, and has
> a bug which lets following /../../../ be ran on the URL using any web
> browser. For example, something like:
>
> http://chat.server.com:4080/../../../etc/passwd
>
> will display the passwd file. With this you can view any file on the
> system that 'nobody' has access to. I was only able to test this on
> version 3.0 of the software, and running on Solaris. I contacted the
> company about this, all they said was that if you're using 3.0, you
> should upgrade to 3.03 as soon as possible. I don't even know if this
> particular bug is fixed in that version. If you can try this on other
> versions and OS's, I'd like to hear about the results.
