In association with heise online

16 March 2009, 13:41

MLDonkey 3.0 closes security hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The MLDonkey file sharing program has a security hole which allows access to arbitrary files on a system. The P2P program's web based management interface, which typically runs on TCP port 4080, does not properly filter requests. This means you can insert a double slash into a query like so


and the server will return the contents of /etc/passwd. The bug is fixed in version 3.0 and affected Linux distributions are already issuing updated packages.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit