ParaChat Server "dot dot" directory traversal
| parachat-directory-traversal (17541) |  Medium Risk |
Description:
ParaChat Server could allow a remote attacker to traverse directories on the Web server. A remote attacker could exploit this vulnerability by sending a specially-crafted URL containing "dot dot" sequences (in the form of ..%5C/) to ParaChat to traverse directories and view arbitrary files on the Web server.
Consequences:
Obtain Information
Remedy:
Upgrade to the latest version of ParaChat Server (5.5 dated 9/29/2004 or later), available from the ParaChat Server Web site. See References.
References:
- BugTraq Mailing List, Thu Sep 30 2004 - 13:14:28 CDT: Re: directory traversal in ParaChat Server 5.5.
- BugTraq Mailing List, Wed Sep 29 2004 - 06:18:29 CDT: directory traversal in ParaChat Server 5.5.
- Donato Ferrante, 28-Sep-2004: ParaChat Server.
- ParaChat Server Web site: ParaChat - Fast, Feature-rich, Original Java Chat Since 1996.
- BID-11272: ParaChat Directory Traversal Vulnerability
- CVE-2004-1568: Directory traversal vulnerability in ParaChat Server 5.5 allows remote attackers to read arbitrary files via a ..%5C (hex-encoded dot dot) in the URL.
- SA12678: ParaChat Server Directory Traversal Vulnerability
- SECTRACK ID: 1011438: ParaChat Server Input Validation Flaw Discloses Files to Remote Users
Platforms Affected:
- M Square ParaChat Server 5.5
Reported:
Sep 29, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net