The WEB interface in the MLDonkey P2P networks client in mldonkey-2.9.7 and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. Note: A similar vulnerability than CVE-1999-1456. References: https://savannah.nongnu.org/bugs/?25667 http://bugs.gentoo.org/show_bug.cgi?id=260072 http://www.milw0rm.com/exploits/8097
Created attachment 333045 [details] Testing patch (please verify its function and correctness).
This issue affects all versions of the mldonkey package, as shipped with Fedora releases of 9, 10, and devel. Please fix.
PoC: http://www.milw0rm.com/exploits/8097
FYI here's the Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516829
I looked at mldonkey somewhat baffled trying to work out how to make it do anything *at all* .. and couldn't work it out. So I'm afraid I couldn't reproduce the supposed security bug. However I have looked at the patch in comment 1, and I looked at how it fitted in with the existing code, and the patch appears reasonable to me. I also applied it to mldonkey 2.9.7 from Rawhide and built a new RPM, and it builds without error. (I have not committed anything to Rawhide or any other branch).
Built for Rawhide, F-10 and F-9. Build fails on EL-4 and EL-5, but this package was never built in those branches (although it was imported) and can't be built because of the too old version of OCaml.
mldonkey-2.9.7-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/mldonkey-2.9.7-3.fc10
mldonkey-2.9.7-3.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/mldonkey-2.9.7-3.fc9
mldonkey-2.9.7-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
mldonkey-2.9.7-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 488304 has been marked as a duplicate of this bug. ***
*** Bug 488305 has been marked as a duplicate of this bug. ***
*** Bug 488306 has been marked as a duplicate of this bug. ***
Ok, since updated packages hits "updates" repostories, I think that we ay close this ticket.