+++ Easy chat server 1.2 Directory traversal +++



Release Date:
June 30 , 2004

Severity:
MEdium

Systems Affected:
Microsoft Windows NT 4.0 (all versions)
Microsoft Windows 2000 (SP3 and earlier)
Microsoft Windows XP (all versions)
windows 9x


Description:
Easy Chat Server is a easy, fast and affordable way to host and manage your own real-time communication
software, it allows friends/colleagues to chat with you through a Web Browser (IE, Netscape, Opera etc.)
on any computer (Windows, Linux, Solaris...) without any special plug-ins or software. It can help you
setup your community chat rooms, collaborative work sessions or online meetings.

A simple Directory traversal problem has been identified in Easy chat server 1.2 that may allow a remote user
to read files outside the WWW directory.

Example: /../../boot.ini


Workaround:
Use another product.

Pr00f of concept code:
sorry, nothing at the moment but some pr00f of concept exploit may emerge soon.



Credit:
Dr_insane
Http://members.lycos.co.uk/r34ct/


Feedback
Please send your comments to: dr_insane@pathfinder.gr