URL:
<http://savannah.nongnu.org/patch/?6754>
Summary: Http double slash request arbitrary file access
vulnerability
Project: mldonkey, a multi-networks file-sharing client
Submitted by: kyak
Submitted on: Di 24 Feb 2009 19:30:44 CET
Category: None
Severity: 6 - Security
Item Group: None
Status: None
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release:
Release: None
Operating System: None
Binaries Origin: None
CPU type: None
_______________________________________________________
Details:
I can access http://myip:4080//etc/passwd from my browser.
Actually, i can access any file, readable by mldonkey, i just need to put a
double slash before the name.
It looks like a thttpd double slash request arbitrary file access
vulnerability CVE-1999-1456.
I am astonished that this has been staying undetected and unfixed for such a
long time.
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Mo 19 Jan 2004 13:37:14 CET By: Andreas Mueller <amu>
added lib.
-------------------------------------------------------
Date: Di 25 Nov 2003 13:06:02 CET By: -Deleted Account- <lizdeika>
oh
the same for most(maybe all)
apps in "Desktop Preferences"
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/patch/?6754>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.nongnu.org/
_______________________________________________
Mldonkey-users mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/mldonkey-users
