Instant messengers write in arbitrary directories
According to an advisory published by iDefense, the instant messaging applications AIM and ICQ allow attackers to place arbitrary files on a target system if the victim accepts the file transfer. Including the "../" traversal characters in file names allows attackers to leave the download directory specified by the user and to save the file in any directory of the file system.
The advisory explains that the attacker is free to specify any display name used for the ICQ download dialog, independently from the file name used later for the actual file download. However, the instant messenger does not overwrite any existing files without prompting the user for confirmation.
According to iDefense, active ICQ clients have already been patched via the automated update mechanism to close this hole. Users that work with AIM 5.9 or prior versions are advised to upgrade to the latest available version, although a fix that is not specified in detail has been provided to protect the AIM infrastructure.