COMMAND

    ICQ

SYSTEMS AFFECTED

    Systems running ICQ

PROBLEM

    Ronald A.  Jarrell found  following.   It was  tested under ICQ99a
    build 1700 v2.13 client (first publicly distributed one of the  99
    family?).  If you turn on the "Activate my home page" feature  you
    will turn your computer into a web server...  Complete with a file
    server that allows by default anything in the

        Program files\icq\homepage\root\YOUR#\files

    folder to be requested.   It will even set  up a guest book,  chat
    service, etc... (yea,  they said "turning  this on might  increase
    people's access to your machine, and tell them your ip address"  -
    of course  it will.   You're setting  up a  bloody web  server you
    idiots.  A bad one at that.)

    Telnet to your port 80, and enter some non http gibberish.  Try:

        quit<cr>

    for grins.   Blam.   Down goes  the ICQ  client with  a GPF.  Even
    doing a http  "GET ......." (with  a lot more  periods) will crash
    the  icq  'webserver'.   ICQ  has  always  had  a high "DOSability
    factor".  So far, this works on NT, but not on 95 (98?)!?

    Jan  Vogelgesang  added  following.   If  you  have  the webserver
    enabled,  everyone  can  access  your  complete(!) harddisk with a
    simple  webbrowser.   When  your  page  is  activated  and you are
    online, each request to

        http://members.icq.com/<your ICQ-Number>

    will be redirected to your  computer.  Thus, every visitor  get to
    know your current ip.  Nevertheless, only the files in

        /ICQ99/Hompage/<your ICQ-Number>/personal

    should be accessible.  But a visitor can "climb up" the  directory
    tree with some dots, e.g.

        http://<yourIP>/...../a2.html

    would present  him the  file "a2.html"  in the  "ICQ99" directory.
    With some more dots, he  would come to the root-directory  of your
    harddisk.   But  there  is  one  barrier:  The  ICQ-Webserver only
    delivers files with a  ".html" extension.  After  some experiments
    here's  the  trick  to  do  it:  add  ".html/"  to the URL and the
    Webserver sends every file you request.  For instance,

        http://<yourIP>/........  ...../config.sys

    won't work, but

        http://<yourIP>/.html/............./config.sys

    would.  This was tested with both Build 1700 and with Build  1547.
    and it works under Win9x (while first vulnerability works under NT
    with build 1700).

SOLUTION

    Mirabilis found the bug and fixed it with Build 1800, that can  be
    downloaded from the

        http://www.icq.com/download/