Bug 487132 - MLDonkey: remote arbitrary file disclosure via a GET request with more than one leading / (slash) character in the filename.
MLDonkey: remote arbitrary file disclosure via a GET request with more than o...
Status: CLOSED NEXTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
https://savannah.nongnu.org/bugs/?25667
reported=20090224,source=gentoo,impac...
: Security
: 488305 488306 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-24 08:49 EST by Jan Lieskovsky
Modified: 2009-03-07 10:25 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-07 10:25:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Testing patch (please verify its function and correctness). (899 bytes, patch)
2009-02-24 08:52 EST, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2009-02-24 08:49:44 EST
The WEB interface in the MLDonkey P2P networks client in mldonkey-2.9.7
and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. Note: A similar
vulnerability than CVE-1999-1456.

References:
https://savannah.nongnu.org/bugs/?25667
http://bugs.gentoo.org/show_bug.cgi?id=260072
http://www.milw0rm.com/exploits/8097
Comment 1 Jan Lieskovsky 2009-02-24 08:52:54 EST
Created attachment 333045 [details]
Testing patch (please verify its function and correctness).
Comment 2 Jan Lieskovsky 2009-02-24 08:53:40 EST
This issue affects all versions of the mldonkey package, as shipped with
Fedora releases of 9, 10, and devel.

Please fix.
Comment 3 Jan Lieskovsky 2009-02-24 08:54:09 EST
PoC:

http://www.milw0rm.com/exploits/8097
Comment 4 Richard W.M. Jones 2009-02-24 18:06:24 EST
FYI here's the Debian bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516829
Comment 5 Richard W.M. Jones 2009-02-24 18:26:13 EST
I looked at mldonkey somewhat baffled trying to work out how to
make it do anything *at all* .. and couldn't work it out.  So I'm afraid
I couldn't reproduce the supposed security bug.

However I have looked at the patch in comment 1, and I looked at
how it fitted in with the existing code, and the patch appears
reasonable to me.

I also applied it to mldonkey 2.9.7 from Rawhide and built a new
RPM, and it builds without error.  (I have not committed anything to
Rawhide or any other branch).
Comment 6 Richard W.M. Jones 2009-02-26 04:31:49 EST
Built for Rawhide, F-10 and F-9.

Build fails on EL-4 and EL-5, but this package was never
built in those branches (although it was imported) and
can't be built because of the too old version of OCaml.
Comment 7 Fedora Update System 2009-02-26 04:34:27 EST
mldonkey-2.9.7-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/mldonkey-2.9.7-3.fc10
Comment 8 Fedora Update System 2009-02-26 04:53:43 EST
mldonkey-2.9.7-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/mldonkey-2.9.7-3.fc9
Comment 9 Fedora Update System 2009-02-26 10:32:53 EST
mldonkey-2.9.7-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-02-26 10:34:19 EST
mldonkey-2.9.7-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Peter Lemenkov 2009-03-03 13:01:20 EST
*** Bug 488304 has been marked as a duplicate of this bug. ***
Comment 12 Peter Lemenkov 2009-03-03 13:01:48 EST
*** Bug 488305 has been marked as a duplicate of this bug. ***
Comment 13 Peter Lemenkov 2009-03-03 13:01:57 EST
*** Bug 488306 has been marked as a duplicate of this bug. ***
Comment 14 Peter Lemenkov 2009-03-07 10:25:23 EST
Ok, since updated packages hits "updates" repostories, I think that we ay close this ticket.

Note You need to log in before you can comment on or make changes to this bug.