# CVE-2026-36227: Easy Chat Server 3.1 UserName Path Traversal

## Summary

Easy Chat Server 3.1 contains a path traversal vulnerability in the user registration flow. A remote attacker can submit traversal sequences in the `UserName` parameter of `POST /registresult.htm`, causing the application to use attacker-controlled path components during registration-related file creation.

This repository is for authorized security research and local reproduction only. Do not use it against systems you do not own or have explicit permission to test.

## Discoverer

Vaibhav D. Barkade

## Vulnerable Component

- Vendor/Product: Easy Chat Server
- Affected version: 3.1
- Component: User Registration
- Endpoint: `/registresult.htm`
- Parameter: `UserName`
- Attack type: Remote

## Impact

The issue allows path traversal and unauthorized file write outside the intended registration/user-data location. If the attacker-controlled path reaches a web-executable directory and the server processes the created file as active content, the impact can escalate to arbitrary code execution.

The public PoC is intentionally benign. It demonstrates the traversal-controlled registration request with a harmless proof filename and does not ship executable payload content.

## Reproduction

Run the PoC against a lab instance you own or have permission to test:

```bash
python3 poc.py 127.0.0.1 80
```

The default submitted `UserName` value is:

```text
../../ecs-traversal-proof.txt
```

To preview the exact HTTP request without sending it:

```bash
python3 poc.py 127.0.0.1 80 --dry-run
```

To test a different proof filename:

```bash
python3 poc.py 127.0.0.1 80 --username '../../custom-proof.txt'
```

## Expected Result

On a vulnerable target, the registration request is accepted while preserving traversal path components from the `UserName` parameter. The operator should inspect the Easy Chat Server installation or web/root directory for the created proof artifact.

## Root Cause

The application accepts a user-controlled registration field and uses it in a filesystem-sensitive context without sufficiently rejecting traversal sequences or enforcing that the final path remains inside the intended directory.

## Mitigation

Reject path traversal sequences, path separators, drive prefixes, and encoded equivalents in `UserName`. Resolve the final filesystem path with canonicalization and enforce that it remains inside the intended storage directory before creating or writing any file. Do not allow user-controlled files to be created in web-executable directories.