Update: security hole in the ICQ-Webserver

[wj.Vogelgesang () SAARBRUECKEN NETSURF DE (Jan Vogelgesang)]

Hi,
some weeks ago, I wrote a message about an security hole in the ICQ-webserver (look at 
http://www.geek-girl.com/bugtraq/1999_2/0028.html to read it again). Mirabilis found the bug and fixed it with Build 
1701, that can be downloaded from the http://www.icq.com/download/ . But they don't put a warning on their Webpage and 
inform the ICQ-community about the bug. That's bad.

Moreover, the fix leaves a small problem (not really a bug) in the Webserver:

----describtion of the security problem in Build 1701 ----
Problem: When the ICQ-Webserver is enabled (i.e. "Activate Hompage" is checked) everybody can test if a specific file 
exsist on this computer. Although an attacker can't view the contents of the files, he can test, for example, if a 
certain application is installed on this computer. This knowledge is usefull to prepare other attacks, e.g. sending 
specialized macro viruses or do some specialized D.o.S. - attacks.
Details: Mirabilis fixed the old ICQ-Webserver-Bug.  With the new version (build 1701), the ICQ-webserver would only 
deliver Files in the ICQ-Homapge-directory. If an attacker tries to read a file that is not in the hompage-directory of 
ICQ99 (with the same method as in the old bug), the ICQ-webserver would'n deliver the file. If the file exsists on the 
specific location the attacker would  receive "403 Forbidden". If the file doesn't exsist he would receive "404 Not 
Found". Thus, he can test if a specific file exsist.
It seems that the ICQ-Webserver first tests if the requested file exsists and than if the request is secure. I think, 
this order should be reversed.


Jan Vogelgesang