Bugtraq mailing list archives
Re: bug in iChat 3.0 (maybe others)
From: stevek () STEVEK COM (Steve Kann)
Date: Thu, 10 Sep 1998 09:51:42 -0400
On Wed, Sep 09, 1998 at 04:19:28PM -0700, Jon Beaton wrote:
Hi, The iChat (http://www.ichat.com/) ROOMS server runs as 'nobody', and on port 4080 as default. From what I've noticed, it just uses http, and has a bug which lets following /../../../ be ran on the URL using any web browser. For example, something like: http://chat.server.com:4080/../../../etc/passwd
They (ichat) know about this problem, and have fixed it in versions greater than 3.00. It's a pretty stupid problem to have in the first place, though. What really irked me about this when I found out about it was this: 1) I found out about it as it was being exploited by an I-chat technical support representative, who was using it to read certain configuration files on my machine. He wasn't necessarily being malicious, but he _was_ accessing files on my machine, using a security flaw in their software, without my consent. Not exactly an experience that gives one a "warm/fuzzy feeling". 2) They released a version 3.00 for linux, but did not release a fixed version for linux. So, users running it on linux were forced to either stop using it altogether, or live with the problem. The third possibility, running it in a protected chrooted environment, is what I chose for the period of time that I needed to continue running the software. I figured that if they had this kind of bug, who knows how many exploitable buffer overflows there are. -SteveK -- Steve Kann - Horizon Live Distance Learning - 841 Broadway, Suite 502 Personal:stevek () SteveK COM Business:stevek () HorizonLive com (212) 533-1775 Non voglio il vostro prodotto o servizio, e non voglio i vostri soldi Pertanto, non mandatemi alcuna informazione a riguardo.
Current thread:
- bug in iChat 3.0 (maybe others) Jon Beaton (Sep 09)
- Re: bug in iChat 3.0 (maybe others) Renzo Toma (Sep 10)
- Re: bug in iChat 3.0 (maybe others) Steve Kann (Sep 10)