BearShare Directory Traversal Issue Resurfaces ------------------------------------------------------------------------ Article reference: http://www.securiteam.com/windowsntfocus/6D0010A5PU.html SUMMARY A while back BearShare 2.2.2 was <http://www.securiteam.com/windowsntfocus/5SP0P2K40U.html> reported to have a directory traversal vulnerability in it. This issue was fixed by the company, now a different variant of the same issue seems to have resurfaced, allowing a remote attacker to view any file he desires by issuing a specially crafted HTTP request. Despite a correction attempt in part of the vendor, the updated version is still vulnerable. DETAILS Vulnerable systems: * BearShare version 4.0.5 * BearShare version 4.0.6 (second variant) Vendor response: "The fix for the directory traversal issue you reported to us has been released as part of BearShare 4.0.6. All users will be notified by the application itself that a new version is available." Workaround: Users that do not upgrade are recommend to deactivate the built in personal web server by choosing Setup->Uploads and un-checking the "Activate the built in personal web server" check box. Example (first variant): Issuing the following request: http://127.0.0.1:6346/%5c..%5c..%5c..%5cwindows%5cwin.ini Would translate into: http://127.0.0.1:6346/\..\..\..\windows\win.ini Returning the win.ini file. Second variant: Following the release of BearShare version 4.0.6, Gluck has informed us that this version is still vulnerable to a simple variant of the attack which indicates bearshare has not done a good job of fixing the problem. This time issuing the following request would work: http://127.0.0.1:6346/%5c..%5c..%5c..%5cwindows%5cwin%2eini The information has been provided by <mailto:gluck@securedream.net> Gluck and <mailto:mario@freepeers.com> Mario Solares. -- Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com Know that you're safe: http://www.AutomatedScanning.com
