NullByte8080/CVE-2026-36227

# CVE-2026-36227: Easy Chat Server 3.1 UserName Path Traversal PoC This repository contains a benign proof of concept for `CVE-2026-36227`, a path traversal issue in Easy Chat Server 3.1 user registration handling. This repository is for authorized security research and local reproduction only. Do not use it against systems you do not own or have explicit permission to test. ## Summary Easy Chat Server 3.1 accepts registration data through `POST /registresult.htm`. The `UserName` parameter is not sufficiently sanitized before it is used by the application. A traversal-style value such as `../../ecs-traversal-proof.txt` can cause the application to write outside the intended user registration path. The public PoC intentionally uses a harmless proof filename and does not include executable webshell or command-execution content. ## Discoverer Vaibhav D. Barkade ## Affected Product - Product: Easy Chat Server - Version: 3.1 - Component: User registration - Endpoint: `/registresult.htm` - Parameter: `UserName` ## Usage Run against a lab instance you own or are authorized to test: python3 poc.py 127.0.0.1 80 Print the request without sending it: python3 poc.py 127.0.0.1 80 --dry-run Use a custom traversal proof value: python3 poc.py 127.0.0.1 80 --username '../../ecs-traversal-proof.txt' ## Expected Result If the target is vulnerable, the server processes the registration request with the traversal-controlled `UserName` value. The operator should inspect the Easy Chat Server installation or web/root directory for the resulting proof artifact. ## Severity Suggested severity depends on the deployed environment and reachable write path. If unauthenticated remote users can write into a web-executable path, the issue can lead to remote code execution and should be treated as high or critical. If the write is limited to non-executable locations, the direct impact is path traversal and unauthorized file write. ## Mitigation - Reject path separators and traversal sequences in `UserName`. - Canonicalize and validate destination paths before file creation. - Store user-controlled files under a fixed directory and enforce containment. - Avoid using user-controlled values directly as filesystem paths. - Disable or restrict web execution in upload/user-data directories.