Bug 20379 - MLdonkey <= 2.9.7 HTTP DOUBLE SLASH Arbitrary File Disclosure vulnerability
Summary: MLdonkey <= 2.9.7 HTTP DOUBLE SLASH Arbitrary File Disclosure vulnerability
Status: CLOSED FIXED
Alias: None
Product: Branch 4.1
Classification: Distributions
Component: mldonkey-server (show other bugs)
Version: unspecified
Hardware: all Linux
: P3 critical
Assignee: Nobody's working on this, feel free to take it
QA Contact: qa-4.1@altlinux.org
URL:
Keywords:
: 20380 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-06-09 11:43 MSD by Василий Терешко
Modified: 2009-06-24 13:48 MSD (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Василий Терешко 2009-06-09 11:43:10 MSD 
MLdonkey (up to 2.9.7) has  a  vulnerability  that allows remote user to access any
file   with   rights   of  running  Mldonkey  daemon  by  supplying  a
special-crafted  request  (ok,  there's  not much special about double
slash) to an Mldonkey http GUI (tcp/4080 usually).

Reference:
https://savannah.nongnu.org/bugs/?25667

Thus, the exploit would be as simple as accessing any file on a remote
host with your browser and double slash:

http://mlhost:4080//etc/passwd

# milw0rm.com [2009-02-23]
Comment 1 Василий Терешко 2009-06-09 18:28:12 MSD 
Mldonkey 3.0.0 c cайта разработчика легко пересобирается со старым spec файлом, по крайней мере на X86_64
Comment 2 Aeliya Grevnyov 2009-06-23 22:10:54 MSD 
*** Bug 20380 has been marked as a duplicate of this bug. ***
Comment 3 Repository Robot 2009-06-24 13:48:05 MSD 
mldonkey-3.0.0-alt1 -> sisyphus:

* Wed Jun 24 2009 gray_graff <gray_graff@altlinux> 3.0.0-alt1

- 3.0.0 (closes: 18503, 20379, 20380)