[Please upgrade as soon as a patch is available if you use mldonkey with the HTTP interface. Don't use it in the meantime -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Message-ID: <[EMAIL PROTECTED]> From: Chris Sharp <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Full-Disclosure] XSS In mldonkey - But.... Date: Fri, 31 Oct 2003 11:27:45 -0800 (PST) Mldonkey is an open source p2p client which supports a load of networks, it doesn't have a built in UI, you can telnet into it, or there's a web interface which can be accessed from http://127.0.0.1:4080/ (or whatever port you configure it to run on) They've done a great job at making sure there's no XSS issues, especially with data coming from the network. You can inject scripts into the html error page rather trivially using http://127.0.0.1:4080/<script>...</script> But who cares? There are far more dangrous things you can do if you can make the mldonkey go to URL's for example.... http://localhost:4080/submit?setoption=q&option=allowed_ips&value=255.255.255.255 This will unlock the IP based access control, suddenly everyone in the world can access the search interface. The whole control system is via http, you can search, download, whatever all via http. If you can get the user to go to arbitrary URL's then you can do dangerous things directly without having to resort to XSS, although the XSS does have some uses in terms of automating multiple requests. Being really Evil is left as an exercise for the reader. Now, if there were some method to inject html via responses to a p2p search, then the whole thing would be a little more interesting. Some media files may contain embedded URL's, that may be an interesting way of delivering payloads across a P2P network. So, at the very least the web iterface should include some referrer checking to ensure that commands aren't being generated from untrusted pages. This is a general problem with any application controlled via web interfaces. Chris __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves _______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd
