|
|
| |
A while back BearShare 2.2.2 was reported to have a directory traversal vulnerability in it. This issue was fixed by the company, now a different variant of the same issue seems to have resurfaced, allowing a remote attacker to view any file he desires by issuing a specially crafted HTTP request.
Despite a correction attempt in part of the vendor, the updated version is still vulnerable. |
| |
Credit:
The information has been provided by Gluck and Mario Solares.
|
| |
Vulnerable systems:
* BearShare version 4.0.5
* BearShare version 4.0.6 (second variant)
Vendor response:
"The fix for the directory traversal issue you reported to us has been released as part of BearShare 4.0.6. All users will be notified by the application itself that a new version is available."
Workaround:
Users that do not upgrade are recommend to deactivate the built in personal web server by choosing Setup->Uploads and un-checking the "Activate the built in personal web server" check box.
Example (first variant):
Issuing the following request:
http://127.0.0.1:6346/%5c..%5c..%5c..%5cwindows%5cwin.ini
Would translate into:
http://127.0.0.1:6346/\..\..\..\windows\win.ini
Returning the win.ini file.
Second variant:
Following the release of BearShare version 4.0.6, Gluck has informed us that this version is still vulnerable to a simple variant of the attack which indicates bearshare has not done a good job of fixing the problem.
This time issuing the following request would work:
http://127.0.0.1:6346/%5c..%5c..%5c..%5cwindows%5cwin%2eini
|
|
|
|
|
