20380 2009-06-09 11:44:49 +0400 MLdonkey <= 2.9.7 HTTP DOUBLE SLASH Arbitrary File Disclosure vulnerability 2009-06-23 22:10:54 +0400 1 1 4 Development Sisyphus mldonkey-server unstable all Linux CLOSED DUPLICATE 20379 P3 critical --- 1 tolmi gray_graff gray_graff qa-sisyphus oldest_to_newest 92767 0 tolmi 2009-06-09 11:44:49 +0400 MLdonkey (up to 2.9.7) has a vulnerability that allows remote user to access any file with rights of running Mldonkey daemon by supplying a special-crafted request (ok, there's not much special about double slash) to an Mldonkey http GUI (tcp/4080 usually). Reference: https://savannah.nongnu.org/bugs/?25667 Thus, the exploit would be as simple as accessing any file on a remote host with your browser and double slash: http://mlhost:4080//etc/passwd # milw0rm.com [2009-02-23] 93584 1 gray_graff 2009-06-23 22:10:54 +0400 дубль *** This bug has been marked as a duplicate of bug 20379 ***