<?xml version="1.0" encoding="UTF-8" ?>

<bugzilla version="5.2"
          urlbase="https://bugzilla.altlinux.org/"
          
          maintainer="jenya@basealt.ru"
>

    <bug>
          <bug_id>20379</bug_id>
          
          <creation_ts>2009-06-09 11:43:10 +0400</creation_ts>
          <short_desc>MLdonkey &lt;= 2.9.7 HTTP DOUBLE SLASH Arbitrary File Disclosure vulnerability</short_desc>
          <delta_ts>2009-06-24 13:48:05 +0400</delta_ts>
          <reporter_accessible>1</reporter_accessible>
          <cclist_accessible>1</cclist_accessible>
          <classification_id>3</classification_id>
          <classification>Distributions</classification>
          <product>Branch 4.1</product>
          <component>mldonkey-server</component>
          <version>unspecified</version>
          <rep_platform>all</rep_platform>
          <op_sys>Linux</op_sys>
          <bug_status>CLOSED</bug_status>
          <resolution>FIXED</resolution>
          
          
          <bug_file_loc></bug_file_loc>
          <status_whiteboard></status_whiteboard>
          <keywords></keywords>
          <priority>P3</priority>
          <bug_severity>critical</bug_severity>
          <target_milestone>---</target_milestone>
          
          
          <everconfirmed>1</everconfirmed>
          <reporter name="Василий Терешко">tolmi</reporter>
          <assigned_to name="Nobody&apos;s working on this, feel free to take it">nobody</assigned_to>
          
          
          <qa_contact name="qa-4.1@altlinux.org">qa-4.1</qa_contact>

      

      

      

          <comment_sort_order>oldest_to_newest</comment_sort_order>  
          <long_desc isprivate="0" >
    <commentid>92766</commentid>
    <comment_count>0</comment_count>
    <who name="Василий Терешко">tolmi</who>
    <bug_when>2009-06-09 11:43:10 +0400</bug_when>
    <thetext>MLdonkey (up to 2.9.7) has  a  vulnerability  that allows remote user to access any
file   with   rights   of  running  Mldonkey  daemon  by  supplying  a
special-crafted  request  (ok,  there&apos;s  not much special about double
slash) to an Mldonkey http GUI (tcp/4080 usually).

Reference:
https://savannah.nongnu.org/bugs/?25667

Thus, the exploit would be as simple as accessing any file on a remote
host with your browser and double slash:

http://mlhost:4080//etc/passwd

# milw0rm.com [2009-02-23]</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>92807</commentid>
    <comment_count>1</comment_count>
    <who name="Василий Терешко">tolmi</who>
    <bug_when>2009-06-09 18:28:12 +0400</bug_when>
    <thetext>Mldonkey 3.0.0 c cайта разработчика легко пересобирается со старым spec файлом, по крайней мере на X86_64</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>93585</commentid>
    <comment_count>2</comment_count>
    <who name="Aeliya Grevnyov">gray_graff</who>
    <bug_when>2009-06-23 22:10:54 +0400</bug_when>
    <thetext>*** Bug 20380 has been marked as a duplicate of this bug. ***</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>93616</commentid>
    <comment_count>3</comment_count>
    <who name="Repository Robot">repository-robot</who>
    <bug_when>2009-06-24 13:48:05 +0400</bug_when>
    <thetext>mldonkey-3.0.0-alt1 -&gt; sisyphus:

* Wed Jun 24 2009 gray_graff &lt;gray_graff@altlinux&gt; 3.0.0-alt1

- 3.0.0 (closes: 18503, 20379, 20380)</thetext>
  </long_desc>
      
      

    </bug>

</bugzilla>