From stevek@STEVEK.COM Sun Sep 13 08:18:49 1998 From: Steve Kann (stevek@STEVEK.COM) To: BUGTRAQ@netspace.org Date: Thu, 10 Sep 1998 09:51:42 -0400 Subject: Re: bug in iChat 3.0 (maybe others) On Wed, Sep 09, 1998 at 04:19:28PM -0700, Jon Beaton wrote: : The iChat (http://www.ichat.com/) ROOMS server runs as 'nobody', and on : port 4080 as default. From what I've noticed, it just uses http, and has : a bug which lets following /../../../ be ran on the URL using any web : browser. For example, something like: : : http://chat.server.com:4080/../../../etc/passwd They (ichat) know about this problem, and have fixed it in versions greater than 3.00. It's a pretty stupid problem to have in the first place, though. What really irked me about this when I found out about it was this: 1) I found out about it as it was being exploited by an I-chat technical support representative, who was using it to read certain configuration files on my machine. He wasn't necessarily being malicious, but he _was_ accessing files on my machine, using a security flaw in their software, without my consent. Not exactly an experience that gives one a "warm/fuzzy feeling". 2) They released a version 3.00 for linux, but did not release a fixed version for linux. So, users running it on linux were forced to either stop using it altogether, or live with the problem. The third possibility, running it in a protected chrooted environment, is what I chose for the period of time that I needed to continue running the software. I figured that if they had this kind of bug, who knows how many exploitable buffer overflows there are. -SteveK -- Steve Kann - Horizon Live Distance Learning - 841 Broadway, Suite 502 Personal:stevek@SteveK.COM Business:stevek@HorizonLive.com (212) 533-1775 Non voglio il vostro prodotto o servizio, e non voglio i vostri soldi Pertanto, non mandatemi alcuna informazione a riguardo.