Original Sender : Ryo Saeba <[EMAIL PROTECTED]> --------------------------------- Halo milisers, pada pakai ICQ nggak? Terutama ICQ 99a build 1700 v2.13, ada service "Activate my home page". Ternyata servis tersebut akan membuat komputer kita menjadi sebuah web server pada port 80, dengan root direktori program files\icq\homepage\root\#UIN\files, dengan segala macem fasilitas, seperti chat service, guesbook, dlsb. Tanda seseorang mengaktifkan servis tersebut adalah ada tanda rumah kecil di sebelah namanya dalam contact list. Nah, parahnya, web server kecil2-an buatan ICQ ini buggy sekali. Coba telnet pada port 80, lalu masukkan perintah "quit", langsung tewas deh ICQ-nya, dengan pesan GPF. So, sekedar peringatan, jangan nyalakan fasilitas Activate my home page jika tidak ingin ICQ anda diobok-obok. Didapat dari BUGTRAQ: Sender: Bugtraq List <[EMAIL PROTECTED]> From: "Ronald A. Jarrell" <[EMAIL PROTECTED]> Subject: icq DOS / possible "stupid user" vulnerability. Ok, I was a bit surprised when, in playing with the new ICQ99a build 1700 v2.13 client (which I believe is the first publicly distributed one of the 99 family), I turned on the "Activate my home page" feature, and turned my laptop into a web server... Complete with a file server that allows by default anything in the "program files\icq\homepage\root\YOUR#\files" folder to be requested. Even set up a guest book, chat service, etc... After getting over being astonished (yea, they said "turning this on might increase people's access to your machine, and tell them your ip address" - of course it will. You're setting up a bloody web server you idiots. A bad one at that.) I naturally started doing some poking. Telnet to your port 80, and enter some non http gibberish. I tried "quit<cr>" for grins. Blam. Down goes the ICQ client with a GPF. Got someone else to turn theirs on, and sure enough, managed to shoot him down too. I warned Mirabilis about it. Folks at institutions that worry about such things, but let their employees run ICQ might want to be aware that said employees might well be running web servers now and not evening know it. On you ICQ contact list, if they're on it, said users show up with a little house next to their name. -- Ron Jarrell VA Tech Computing Center I want to live for love, not to die for love - CiTyHuNTeR ---------------------------------------------------------------- Compu-Mania MailingList is provided by PT Centrin Utama Maintained by : [EMAIL PROTECTED] To Post a msg : Send mail to [EMAIL PROTECTED] To Unsubscribe : Mail to [EMAIL PROTECTED] BODY : unsubscribe Compu-Mania For more information, send mail to [EMAIL PROTECTED] with "HELP" in the BODY of your mail (without quote). ----------------------------------------------------------------
