Easy Chat Server Directory Traversal Vulnerability Allowing Arbitrary Code Execution

A directory traversal vulnerability has been identified in Easy Chat Server version 3.1. This vulnerability allows remote attackers to access sensitive information and execute arbitrary code by exploiting the UserName parameter during user registration. The issue arises because the application does not properly sanitize the UserName input, enabling attackers to manipulate the file path and write outside the designated user registration directory.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes. If the written file is within a web-executable directory, it could result in remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the /registresult.htm endpoint with a crafted UserName parameter that includes traversal sequences, such as ../../ecs-traversal-proof.txt. If the server is vulnerable, it will process the request and write the traversed file name to the specified path, potentially allowing for code execution if the write location is web-executable.

Remediation

To address this vulnerability, reject path separators and traversal sequences in the UserName parameter. Canonicalize and validate destination paths before creating files. Store user-controlled files in a fixed directory and enforce containment. Avoid using user-controlled values directly as filesystem paths, and disable or restrict web execution in directories where user data is uploaded or stored.