OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Aviram Jenik (aviram_at_beyondsecurity.com)
Date: Thu Oct 03 2002 - 15:12:31 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

      BearShare Directory Traversal Issue Resurfaces
    ------------------------------------------------------------------------

    Article reference:
    http://www.securiteam.com/windowsntfocus/6D0010A5PU.html

    SUMMARY

    A while back BearShare 2.2.2 was
    <http://www.securiteam.com/windowsntfocus/5SP0P2K40U.html> reported to
    have a directory traversal vulnerability in it. This issue was fixed by
    the company, now a different variant of the same issue seems to have
    resurfaced, allowing a remote attacker to view any file he desires by
    issuing a specially crafted HTTP request.

    Despite a correction attempt in part of the vendor, the updated version
    is still vulnerable.

    DETAILS

    Vulnerable systems:
     * BearShare version 4.0.5
     * BearShare version 4.0.6 (second variant)

    Vendor response:
    "The fix for the directory traversal issue you reported to us has been
    released as part of BearShare 4.0.6. All users will be notified by the
    application itself that a new version is available."

    Workaround:
    Users that do not upgrade are recommend to deactivate the built in
    personal web server by choosing Setup->Uploads and un-checking the
    "Activate the built in personal web server" check box.

    Example (first variant):
    Issuing the following request:

    http://127.0.0.1:6346/%5c..%5c..%5c..%5cwindows%5cwin.ini

    Would translate into:
    http://127.0.0.1:6346/\..\..\..\windows\win.ini

    Returning the win.ini file.

    Second variant:
    Following the release of BearShare version 4.0.6, Gluck has informed us
    that this version is still vulnerable to a simple variant of the attack
    which indicates bearshare has not done a good job of fixing the problem.
    This time issuing the following request would work:

    http://127.0.0.1:6346/%5c..%5c..%5c..%5cwindows%5cwin%2eini

    The information has been provided by <mailto:glucksecuredream.net>
    Gluck
    and <mailto:mariofreepeers.com> Mario Solares. 

    --
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

    Know that you're safe:
http://www.AutomatedScanning.com