Easy Chat Server Arbitrary File Access

2004-06-30T03:16:49
ID OSVDB:7326
Type osvdb
Reporter OSVDB
Modified 2004-06-30T03:16:49

Description

Vulnerability Description

Easy Chat Server contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.

Short Description

Easy Chat Server contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.

Manual Testing Notes

http://[victim]/../../../../../boot.ini

References:

Vendor URL: http://www.echatserver.com/ Secunia Advisory ID:11985 Other Advisory URL: http://members.lycos.co.uk/r34ct/main/Easy_chat_server.txt