Date: Mon, 5 Apr 1999 23:50:56 +0200 From: Jan Vogelgesang To: BUGTRAQ@netspace.org Subject: security hole in ICQ-Webserver Hi, Some days ago i've read a message here in Bugtraq from Ronald A. Jarell about a vulnerability in the ICQ-Webserver . I tried to reproduce this vulnerability with my computer (win95) and find out the following: -sending any non-http stuff or even a simple "get" (without any other characters however) crashes the ICQ-Client. This works with ICQ99a V2.13 Build 1700, but not with Build 1547. Moreover, there is a much bigger hole in the ICQ-Webserver: If you have the webserver enabled, everyone can access your complete(!) harddisk with a simple webbrowser. When your page is activated and you are online, each request to "http://members.icq.com/" will be redirected to your computer. Thus, every visitor get to know your current ip. Nevertheless, only the files in "/ICQ99/Hompage//personal" should be accessible. But a visitor can "climb up" the directory tree with some dots, e.g. "http:///...../a2.html" would present him the file "a2.html" in the "ICQ99" directory. With some more dots, he would come to the root-directory of your harddisk. But there is one barrier: The ICQ-Webserver only delivers files with a ".html" extension. After some experiments I found a way to trick it out: I add ".html/" to the URL and the Webserver sends every file I request. For instance, "http:///............./config.sys" won't work, but "http:///.html/............./config.sys" would. I have test this both with Build 1700 and with Build 1547. In my opinion, this is a significant security problem, because password files or even the registry in the windows directory can be read. I warned Mirabilis about it and hope they will informe the ICQ-community. sorry for my poor english... Jan Vogelgesang