home *** CD-ROM | disk | FTP | other *** search
- Date: Mon, 5 Apr 1999 23:50:56 +0200
- From: Jan Vogelgesang <wj.Vogelgesang@SAARBRUECKEN.NETSURF.DE>
- To: BUGTRAQ@netspace.org
- Subject: security hole in ICQ-Webserver
-
- Hi,
- Some days ago i've read a message here in Bugtraq from Ronald A. Jarell
- about a vulnerability in the ICQ-Webserver . I tried to reproduce this
- vulnerability with my computer (win95) and find out the following:
- -sending any non-http stuff or even a simple "get" (without any other
- characters however) crashes the ICQ-Client. This works with ICQ99a V2.13
- Build 1700, but not with Build 1547.
-
- Moreover, there is a much bigger hole in the ICQ-Webserver: If you have
- the webserver enabled, everyone can access your complete(!) harddisk
- with a simple webbrowser. When your page is activated and you are online,
- each request to "http://members.icq.com/<your ICQ-Number>" will be
- redirected to your computer. Thus, every visitor get to know your current ip.
- Nevertheless, only the files in "/ICQ99/Hompage/<your ICQ-Number>/personal"
- should be accessible. But a visitor can "climb up" the directory tree with
- some dots, e.g. "http://<yourIP>/...../a2.html" would present him the file
- "a2.html" in the "ICQ99" directory. With some more dots, he would come to
- the root-directory of your harddisk. But there is one barrier: The
- ICQ-Webserver only delivers files with a ".html" extension. After some
- experiments I found a way to trick it out: I add ".html/" to the URL and
- the Webserver sends every file I request. For instance,
- "http://<yourIP>/............./config.sys" won't work, but
- "http://<yourIP>/.html/............./config.sys" would.
- I have test this both with Build 1700 and with Build 1547.
-
- In my opinion, this is a significant security problem, because password
- files or even the registry in the windows directory can be read.
- I warned Mirabilis about it and hope they will informe the ICQ-community.
- sorry for my poor english...
-
- Jan Vogelgesang
-
-
