• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

ICQ 99a File Existence Information Leakage Vulnerability

A vulnerability in the ICQ-Webserver component of ICQ 99a is enables ("Active Homepage" is checked) remote users can determine whether specific files exists in the computer, although they cannot see it's contents.

This version of the ICQ-Webserver only servers files that reside in the ICQ-Homepage directory. If a remote user request a file that is not in that directory and the file exists the server will respond with a "403 Forbbidden" HTTP error. If the file does not exist the user receives a "404 Not found" HTTP error.