| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <057901c26b19$58d4f120$c64896d4@beyondmobile1> From: aviram at beyondsecurity.com (Aviram Jenik) Subject: BearShare Directory Traversal Issue Resurfaces BearShare Directory Traversal Issue Resurfaces ------------------------------------------------------------------------ Article reference: http://www.securiteam.com/windowsntfocus/6D0010A5PU.html SUMMARY A while back BearShare 2.2.2 was <http://www.securiteam.com/windowsntfocus/5SP0P2K40U.html> reported to have a directory traversal vulnerability in it. This issue was fixed by the company, now a different variant of the same issue seems to have resurfaced, allowing a remote attacker to view any file he desires by issuing a specially crafted HTTP request. Despite a correction attempt in part of the vendor, the updated version is still vulnerable. DETAILS Vulnerable systems: * BearShare version 4.0.5 * BearShare version 4.0.6 (second variant) Vendor response: "The fix for the directory traversal issue you reported to us has been released as part of BearShare 4.0.6. All users will be notified by the application itself that a new version is available." Workaround: Users that do not upgrade are recommend to deactivate the built in personal web server by choosing Setup->Uploads and un-checking the "Activate the built in personal web server" check box. Example (first variant): Issuing the following request: http://127.0.0.1:6346/%5c..%5c..%5c..%5cwindows%5cwin.ini Would translate into: http://127.0.0.1:6346/\..\..\..\windows\win.ini Returning the win.ini file. Second variant: Following the release of BearShare version 4.0.6, Gluck has informed us that this version is still vulnerable to a simple variant of the attack which indicates bearshare has not done a good job of fixing the problem. This time issuing the following request would work: http://127.0.0.1:6346/%5c..%5c..%5c..%5cwindows%5cwin%2eini The information has been provided by <mailto:gluck@...uredream.net> Gluck and <mailto:mario@...epeers.com> Mario Solares. -- Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com Know that you're safe: http://www.AutomatedScanning.com
Powered by blists - more mailing lists