MLdonkey HTTP请求任意文件访问漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117418 漏洞类型 路径遍历
发布时间 2009-02-23 更新时间 2009-03-24
CVE编号 CVE-2009-0753 CNNVD-ID CNNVD-200903-053
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/8097
https://www.securityfocus.com/bid/33865
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-053
|漏洞详情
MLDonkey是开放源码的电驴客户端。MLDonkey的src/utils/lib/url.ml脚本没有正确地处理以两个斜线开始的文件请求,如果远程攻击者向Mldonkey的httpGUI(通常为tcp/4080)提交了恶意请求的话,就可以访问WebRoot以外的文件。
|漏洞EXP
MLdonkey (up to 2.9.7) has  a  vulnerability  that allows remote user to access any
file   with   rights   of  running  Mldonkey  daemon  by  supplying  a
special-crafted  request  (ok,  there's  not much special about double
slash) to an Mldonkey http GUI (tcp/4080 usually).

Reference:
https://savannah.nongnu.org/bugs/?25667

Thus, the exploit would be as simple as accessing any file on a remote
host with your browser and double slash:

http://mlhost:4080//etc/passwd

# milw0rm.com [2009-02-23]
|受影响的产品
Red Hat Fedora 9 Red Hat Fedora 10 Mldonkey Mldonkey 2.9.7 Mldonkey Mldonkey 2.9 Mldonkey Mldonkey 2.9.0-r3 Gentoo Linux Debian Linux 5.0 sparc
|参考资料

来源:FEDORA
名称:FEDORA-2009-2758
链接:https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00617.html
来源:FEDORA
名称:FEDORA-2009-2703
链接:https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00542.html
来源:BID
名称:33865
链接:http://www.securityfocus.com/bid/33865
来源:MLIST
名称:[oss-security]20090223CVErequest:mldonkeyarbitraryfiledownloadvulnerability
链接:http://www.openwall.com/lists/oss-security/2009/02/23/1
来源:MILW0RM
名称:8097
链接:http://www.milw0rm.com/exploits/8097
来源:GENTOO
名称:GLSA-200903-36
链接:http://www.gentoo.org/security/en/glsa/glsa-200903-36.xml
来源:DEBIAN
名称:DSA-1739
链接:http://www.debian.org/security/2009/dsa-1739
来源:SECUNIA
名称:34436
链接:http://secunia.com/advisories/34436
来源:SECUNIA
名称:34345
链接:http://secunia.com/advisories/34345
来源:SECUNIA
名称:34306
链接:http://secunia.com/advisories/34306
来源:SECUNIA
名称:34008
链接:http://secunia.com/advisories/34008
来源:savannah.nongnu.org
链接:http://savannah.nongnu.org/bugs/?25667