From stevek@STEVEK.COM Sun Sep 13 08:18:49 1998
From: Steve Kann (stevek@STEVEK.COM)
To: BUGTRAQ@netspace.org
Date: Thu, 10 Sep 1998 09:51:42 -0400
Subject: Re: bug in iChat 3.0 (maybe others)

On Wed, Sep 09, 1998 at 04:19:28PM -0700, Jon Beaton wrote:

: The iChat (http://www.ichat.com/) ROOMS server runs as 'nobody', and on
: port 4080 as default. From what I've noticed, it just uses http, and has
: a bug which lets following /../../../ be ran on the URL using any web
: browser.  For example, something like:
:
: http://chat.server.com:4080/../../../etc/passwd

They (ichat) know about this problem, and have fixed it in versions
greater than 3.00.  It's a pretty stupid problem to have in the first
place, though.

What really irked me about this when I found out about it was this:

1) I found out about it as it was being exploited by an I-chat technical
support representative, who was using it to read certain configuration
files on my machine.  He wasn't necessarily being malicious, but he
_was_ accessing files on my machine, using a security flaw in their
software, without my consent.  Not exactly an experience that gives one
a "warm/fuzzy feeling".

2) They released a version 3.00 for linux, but did not release a fixed
version for linux.  So, users running it on linux were forced to either
stop using it altogether, or live with the problem.  The third
possibility, running it in a protected chrooted environment, is what I
chose for the period of time that I needed to continue running the
software.  I figured that if they had this kind of bug, who knows how
many exploitable buffer overflows there are.

-SteveK

--
     Steve Kann - Horizon Live Distance Learning - 841 Broadway, Suite 502
 Personal:stevek@SteveK.COM  Business:stevek@HorizonLive.com  (212) 533-1775
    Non voglio il vostro prodotto o servizio, e non voglio i vostri soldi
         Pertanto, non mandatemi alcuna informazione a riguardo.