16 March 2009, 13:41
MLDonkey 3.0 closes security hole
The MLDonkey file sharing program has a security hole which allows access to arbitrary files on a system. The P2P program's web based management interface, which typically runs on TCP port 4080, does not properly filter requests. This means you can insert a double slash into a query like so
http://mlhost:4080//etc/passwd
and the server will return the contents of /etc/passwd. The bug is fixed in version 3.0 and affected Linux distributions are already issuing updated packages.
See also:
- Http double slash request arbitrary file access vulnerability, bug report from MLDonkey.
- MLDonkey:New Release 3.0.0, release announcement.
(djwm)
Print Version | Send by email
| Permalink: http://h-online.com/-740577
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
