Bug 487132 - MLDonkey: remote arbitrary file disclosure via a GET request with more than one leading / (slash) character in the filename.
Summary: MLDonkey: remote arbitrary file disclosure via a GET request with more than o...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: https://savannah.nongnu.org/bugs/?25667
Whiteboard:
: 488305 488306 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-24 13:49 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:28 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-07 15:25:23 UTC
Embargoed:


Attachments (Terms of Use)
Testing patch (please verify its function and correctness). (899 bytes, patch)
2009-02-24 13:52 UTC, Jan Lieskovsky
no flags Details | Diff

Description Jan Lieskovsky 2009-02-24 13:49:44 UTC
The WEB interface in the MLDonkey P2P networks client in mldonkey-2.9.7
and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. Note: A similar
vulnerability than CVE-1999-1456.

References:
https://savannah.nongnu.org/bugs/?25667
http://bugs.gentoo.org/show_bug.cgi?id=260072
http://www.milw0rm.com/exploits/8097

Comment 1 Jan Lieskovsky 2009-02-24 13:52:54 UTC
Created attachment 333045 [details]
Testing patch (please verify its function and correctness).

Comment 2 Jan Lieskovsky 2009-02-24 13:53:40 UTC
This issue affects all versions of the mldonkey package, as shipped with
Fedora releases of 9, 10, and devel.

Please fix.

Comment 3 Jan Lieskovsky 2009-02-24 13:54:09 UTC
PoC:

http://www.milw0rm.com/exploits/8097

Comment 4 Richard W.M. Jones 2009-02-24 23:06:24 UTC
FYI here's the Debian bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516829

Comment 5 Richard W.M. Jones 2009-02-24 23:26:13 UTC
I looked at mldonkey somewhat baffled trying to work out how to
make it do anything *at all* .. and couldn't work it out.  So I'm afraid
I couldn't reproduce the supposed security bug.

However I have looked at the patch in comment 1, and I looked at
how it fitted in with the existing code, and the patch appears
reasonable to me.

I also applied it to mldonkey 2.9.7 from Rawhide and built a new
RPM, and it builds without error.  (I have not committed anything to
Rawhide or any other branch).

Comment 6 Richard W.M. Jones 2009-02-26 09:31:49 UTC
Built for Rawhide, F-10 and F-9.

Build fails on EL-4 and EL-5, but this package was never
built in those branches (although it was imported) and
can't be built because of the too old version of OCaml.

Comment 7 Fedora Update System 2009-02-26 09:34:27 UTC
mldonkey-2.9.7-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/mldonkey-2.9.7-3.fc10

Comment 8 Fedora Update System 2009-02-26 09:53:43 UTC
mldonkey-2.9.7-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/mldonkey-2.9.7-3.fc9

Comment 9 Fedora Update System 2009-02-26 15:32:53 UTC
mldonkey-2.9.7-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2009-02-26 15:34:19 UTC
mldonkey-2.9.7-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Peter Lemenkov 2009-03-03 18:01:20 UTC
*** Bug 488304 has been marked as a duplicate of this bug. ***

Comment 12 Peter Lemenkov 2009-03-03 18:01:48 UTC
*** Bug 488305 has been marked as a duplicate of this bug. ***

Comment 13 Peter Lemenkov 2009-03-03 18:01:57 UTC
*** Bug 488306 has been marked as a duplicate of this bug. ***

Comment 14 Peter Lemenkov 2009-03-07 15:25:23 UTC
Ok, since updated packages hits "updates" repostories, I think that we ay close this ticket.


Note You need to log in before you can comment on or make changes to this bug.