Package: mldonkey-server Version: 2.9.5-2 Severity: grave Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, MLdonkey (up to 2.9.7) has a vulnerability that allows remote user to access any file with rights of running Mldonkey daemon by supplying a special-crafted request (ok, there's not much special about double slash) to an Mldonkey http GUI (tcp/4080 usually). Reference: https://savannah.nongnu.org/bugs/?25667 Thus, the exploit would be as simple as accessing any file on a remote host with your browser and double slash: http://mlhost:4080//etc/passwd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmjETEACgkQNxpp46476arOowCfdUi6Nmhi0vagcdOb06ya/RRA RWsAn1THtf88DUbVAL6dunEq4MeLJjWn =elDe -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
