Bugtraq mailing list archives

security hole (READ AS: security chasm) in ICQ-Webserver

From: d () CHRONIC ORG (DaChronic)
Date: Thu, 8 Apr 1999 00:00:47 -0500


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aleph,
Sorry about the html.
Thanx

- -SNIP!-

Moreover, there is a much bigger hole in the ICQ-Webserver: If you

have the webserver

enabled, everyone can access your complete(!) harddisk with a simple

webbrowser.

When your page is activated and you are online, each request to
"http://members.icq.com/<your
ICQ-Number>" will be redirected to your computer. Thus, every visitor

get to know your

current ip.
Nevertheless, only the files in "/ICQ99/Hompage/<your

ICQ-Number>/personal" should be

accessible. But a visitor can "climb up" the directory tree with some

dots, e.g. "http://

<yourIP>/...../a2.html" would present him the file "a2.html" in the

"ICQ99" directory. With

some more dots, he would come to the root-directory of your harddisk.
But there is one barrier: The ICQ-Webserver only delivers files with

a ".html" extension.

After some experiments I found a way to trick it out: I add ".html/"

to the URL and the

Webserver sends every file I request. For instance, "http://
<yourIP>/............./config.sys" won't work, but "http://
<yourIP>/.html/............./config.sys" would.
I have test this both with Build 1700 and with Build 1547.

- -SNIP!-

So speaketh Jan Vogelgesang
and
So spake I:

 I can confirm this with Win9x but not with WinNT 4.0 sp3 and hotfixes
nor sp4 (can anyone else?). Furthermore, When you download someone's
user.dat or system.dat, IT WILL CORRUPT their registry or so their
"win popup" will tell them. This was successful twice on 95 and 98,
however it was not on NT.

- - -d0c

d0c70r d4chr0n1c (d0c) of http://chronic.org -CONTACTS-
ICQ# 182533 <---- HEH!, EGN# 7278, and/ or  mailto:d () chronic org .

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2 for non-commercial use <http://www.pgp.com>
Comment: PGP ENCRYPTED / SIGNED MAIL PREFERRED

iQA/AwUBNww3/0LHWmBTEtAREQKcvwCfbmNv/RCfb4X2xw0T1dx2m9CIuuAAnRQ5
1/qslQgb7N83mL8IRjympXlV
=J7hE
-----END PGP SIGNATURE-----

Current thread:

ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Commander Michal Zalewski (Mar 06)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Michal Zalewski (Mar 07)
  - Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Pavel Machek (Apr 09)
    - Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Luca Berra (Apr 10)
    - Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 11)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 05)
- Multiple WinGate Vulnerabilities[Tad late] Marc (Apr 05)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Stefan Rompf (Apr 06)
  - Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Viktor Fougstedt (Apr 07)
    - security hole (READ AS: security chasm) in ICQ-Webserver DaChronic (Apr 07)
    - Re: security hole (READ AS: security chasm) in ICQ-Webserver sven () MSC-MEDIA COM (Apr 08)
    - Bug in Winroute 3.04g Michael R. Rudel (Apr 08)
    - Re: Bug in Winroute 3.04g Max Vision (Apr 09)
    - Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Casper Dik (Apr 08)
  - Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight M.C.Mar (Apr 08)
- ALERT: No viruses in Acrobat Reader Sarah Rosenbaum (Apr 08)