Bug 20379

Summary: MLdonkey <= 2.9.7 HTTP DOUBLE SLASH Arbitrary File Disclosure vulnerability
Product: Branch 4.1 Reporter: Василий Терешко <tolmi>
Component: mldonkey-serverAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED FIXED QA Contact: qa-4.1 <qa-4.1>
Severity: critical    
Priority: P3    
Version: unspecified   
Hardware: all   
OS: Linux   

Description Василий Терешко 2009-06-09 11:43:10 MSD 
MLdonkey (up to 2.9.7) has  a  vulnerability  that allows remote user to access any
file   with   rights   of  running  Mldonkey  daemon  by  supplying  a
special-crafted  request  (ok,  there's  not much special about double
slash) to an Mldonkey http GUI (tcp/4080 usually).

Reference:
https://savannah.nongnu.org/bugs/?25667

Thus, the exploit would be as simple as accessing any file on a remote
host with your browser and double slash:

http://mlhost:4080//etc/passwd

# milw0rm.com [2009-02-23]
Comment 1 Василий Терешко 2009-06-09 18:28:12 MSD 
Mldonkey 3.0.0 c cайта разработчика легко пересобирается со старым spec файлом, по крайней мере на X86_64
Comment 2 Aeliya Grevnyov 2009-06-23 22:10:54 MSD 
*** Bug 20380 has been marked as a duplicate of this bug. ***
Comment 3 Repository Robot 2009-06-24 13:48:05 MSD 
mldonkey-3.0.0-alt1 -> sisyphus:

* Wed Jun 24 2009 gray_graff <gray_graff@altlinux> 3.0.0-alt1

- 3.0.0 (closes: 18503, 20379, 20380)