Bug#516829: Http double slash request arbitrary file access vulnerability
Hi,
this scan was done against MLDonkey 3.0.0:
---------------------------------------------------------------------------
- Nikto 2.02/2.03 - cirt.net
+ Target IP: 192.168.1.8
+ Target Hostname: router
+ Target Port: 4080
+ Start Time: 2009-03-11 22:33:08
---------------------------------------------------------------------------
+ Server: No banner retrieved
- Successfully authenticated to realm "MLdonkey".
+ OSVDB-3126: GET /submit?setoption=q&option=allowed_ips&value=255.255.255.255 : MLdonkey 2.x allows administrative interface access to be access from any IP. This is typically only found on port 4080.
+ 2967 items checked: 1 item(s) reported on remote host
+ End Time: 2009-03-11 22:35:23 (135 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
The message about allowed_ips can be ignored, default is 127.0.0.1.
Cheers, spiralvoice
____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört?
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123
Reply to: