security hole in ICQ-Webserver

[wj.Vogelgesang () SAARBRUECKEN NETSURF DE (Jan Vogelgesang)]

Hi,
Some days ago i've read a message here in Bugtraq from Ronald A. Jarell about a vulnerability in the ICQ-Webserver . I 
tried to reproduce this vulnerability with my computer (win95) and find out the following:
-sending any non-http stuff or even a simple "get" (without any other characters however) crashes the ICQ-Client. This 
works with ICQ99a V2.13 Build 1700, but not with Build 1547.

Moreover, there is a much bigger hole in the ICQ-Webserver: If you have the webserver enabled, everyone can access your 
complete(!) harddisk with a simple webbrowser.
When your page is activated and you are online, each request to "http://members.icq.com/<your ICQ-Number>" will be 
redirected to your computer. Thus, every visitor get to know your current ip.
Nevertheless, only the files in "/ICQ99/Hompage/<your ICQ-Number>/personal" should be accessible. But a visitor can 
"climb up" the directory tree with some dots, e.g. "http://<yourIP>/...../a2.html" would present him the file "a2.html" 
in the "ICQ99" directory. With some more dots, he would come to the root-directory of your harddisk.
But there is one barrier: The ICQ-Webserver only delivers files with a ".html" extension. After some experiments I 
found a way to trick it out: I add ".html/" to the URL and the Webserver sends every file I request. For instance, 
"http://<yourIP>/............./config.sys" won't work, but "http://<yourIP>/.html/............./config.sys" would.
I have test this both with Build 1700 and with Build 1547.

In my opinion, this is a significant security problem, because password files or even the registry in the windows 
directory can be read.
I warned Mirabilis about it and hope they will informe the ICQ-community.
sorry for my poor english...

Jan Vogelgesang