Bugtraq mailing list archives
security hole (READ AS: security chasm) in ICQ-Webserver
From: d () CHRONIC ORG (DaChronic)
Date: Thu, 8 Apr 1999 00:00:47 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aleph, Sorry about the html. Thanx - -SNIP!-
Moreover, there is a much bigger hole in the ICQ-Webserver: If you
have the webserver
enabled, everyone can access your complete(!) harddisk with a simple
webbrowser.
When your page is activated and you are online, each request to "http://members.icq.com/<your ICQ-Number>" will be redirected to your computer. Thus, every visitor
get to know your
current ip. Nevertheless, only the files in "/ICQ99/Hompage/<your
ICQ-Number>/personal" should be
accessible. But a visitor can "climb up" the directory tree with some
dots, e.g. "http://
<yourIP>/...../a2.html" would present him the file "a2.html" in the
"ICQ99" directory. With
some more dots, he would come to the root-directory of your harddisk. But there is one barrier: The ICQ-Webserver only delivers files with
a ".html" extension.
After some experiments I found a way to trick it out: I add ".html/"
to the URL and the
Webserver sends every file I request. For instance, "http:// <yourIP>/............./config.sys" won't work, but "http:// <yourIP>/.html/............./config.sys" would. I have test this both with Build 1700 and with Build 1547.
- -SNIP!- So speaketh Jan Vogelgesang and So spake I: I can confirm this with Win9x but not with WinNT 4.0 sp3 and hotfixes nor sp4 (can anyone else?). Furthermore, When you download someone's user.dat or system.dat, IT WILL CORRUPT their registry or so their "win popup" will tell them. This was successful twice on 95 and 98, however it was not on NT. - - -d0c d0c70r d4chr0n1c (d0c) of http://chronic.org -CONTACTS- ICQ# 182533 <---- HEH!, EGN# 7278, and/ or mailto:d () chronic org . -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2 for non-commercial use <http://www.pgp.com> Comment: PGP ENCRYPTED / SIGNED MAIL PREFERRED iQA/AwUBNww3/0LHWmBTEtAREQKcvwCfbmNv/RCfb4X2xw0T1dx2m9CIuuAAnRQ5 1/qslQgb7N83mL8IRjympXlV =J7hE -----END PGP SIGNATURE-----
Current thread:
- ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Commander Michal Zalewski (Mar 06)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Michal Zalewski (Mar 07)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Pavel Machek (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Luca Berra (Apr 10)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 11)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Pavel Machek (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Michal Zalewski (Mar 07)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 05)
- Multiple WinGate Vulnerabilities[Tad late] Marc (Apr 05)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Stefan Rompf (Apr 06)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Viktor Fougstedt (Apr 07)
- security hole (READ AS: security chasm) in ICQ-Webserver DaChronic (Apr 07)
- Re: security hole (READ AS: security chasm) in ICQ-Webserver sven () MSC-MEDIA COM (Apr 08)
- Bug in Winroute 3.04g Michael R. Rudel (Apr 08)
- Re: Bug in Winroute 3.04g Max Vision (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Viktor Fougstedt (Apr 07)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Casper Dik (Apr 08)