Bug#516829: Http double slash request arbitrary file access vulnerability

To: 516829@bugs.debian.org
Subject: Bug#516829: Http double slash request arbitrary file access vulnerability
From: Spiral Voice <spiralvoice@web.de>
Date: Tue, 10 Mar 2009 22:37:20 +0100
Message-id: <1292695243@web.de>
Reply-to: Spiral Voice <spiralvoice@web.de>, 516829@bugs.debian.org

Hi,

this scan was done against MLDonkey 3.0.0:

---------------------------------------------------------------------------
- Nikto 2.02/2.03     -     cirt.net
+ Target IP:       192.168.1.8
+ Target Hostname: router
+ Target Port:     4080
+ Start Time:      2009-03-11 22:33:08
---------------------------------------------------------------------------
+ Server: No banner retrieved
- Successfully authenticated to realm "MLdonkey".
+ OSVDB-3126: GET /submit?setoption=q&option=allowed_ips&value=255.255.255.255 : MLdonkey 2.x allows administrative interface access to be access from any IP. This is typically only found on port 4080.
+ 2967 items checked: 1 item(s) reported on remote host
+ End Time:        2009-03-11 22:35:23 (135 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The message about allowed_ips can be ignored, default is 127.0.0.1.

Cheers, spiralvoice

____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört? 
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123

Reply to:

Prev by Date: Bug#516829: Http double slash request arbitrary file access vulnerability
Next by Date: Processed: tagging 204266
Previous by thread: Bug#516829: Http double slash request arbitrary file access vulnerability
Next by thread: Bug#516829: Http double slash request arbitrary file access vulnerability
Index(es):
- Date
- Thread