URL:
<http://savannah.nongnu.org/bugs/?25667>
Summary: Http double slash request arbitrary file access
vulnerability
Project: mldonkey, a multi-networks file-sharing client
Submitted by: kyak
Submitted on: Вск 22 Фев 2009 08:55:40
Category: HTTP interface
Severity: 3 - Normal
Item Group: Program malfunction
Status: None
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: 2.9.7
Release: 2.9.7
Operating System: Linux
Binaries Origin: CVS / Self compiled
CPU type: Intel x86
_______________________________________________________
Details:
I can access http://myip:4080//etc/passwd from my browser.
Actually, i can access any file, readable by mldonkey, i just need to put a
double slash before the name.
It looks like a thttpd double slash request arbitrary file access
vulnerability CVE-1999-1456.
I am astonished that this has been staying undetected and unfixed for such a
long time.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?25667>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
_______________________________________________
Mldonkey-bugs mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/mldonkey-bugs
