The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


bug in iChat 3.0 (maybe others)


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 9 Sep 1998 16:19:28 -0700
From: Jon Beaton <[email protected]>
To: [email protected]
Subject: bug in iChat 3.0 (maybe others)

Hi,

The iChat (http://www.ichat.com/) ROOMS server runs as 'nobody', and on
port 4080 as default. From what I've noticed, it just uses http, and has
a bug which lets following /../../../ be ran on the URL using any web
browser.  For example, something like:

http://chat.server.com:4080/../../../etc/passwd

will display the passwd file. With this you can view any file on the
system that 'nobody' has access to. I was only able to test this on
version 3.0 of the software, and running on Solaris. I contacted the
company about this, all they said was that if you're using 3.0, you
should upgrade to 3.03 as soon as possible.  I don't even know if this
particular bug is fixed in that version. If you can try this on other
versions and OS's, I'd like to hear about the results.

Thanks,

Jon Beaton
[email protected]
jbx @ Undernet

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру