[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Mldonkey-bugs] [Bug #492] Potential security problem - mldonkey creatin
[Mldonkey-bugs] [Bug #492] Potential security problem - mldonkey creating subdirectories.
Wed, 29 May 2002 00:07:24 -0400
=================== Bug #492: Full Bug Snapshot ===================
Submitted by: None Project: mldonkey, open e-Donkey client
Submitted on: 2002-May-28 20:02
Category: None Severity: 5 - Major
Bug Group: None Resolution: None
Assigned to: None Status: Open
Summary: Potential security problem - mldonkey creating subdirectories.
Original Submission: Hi!
I'm not sure if i just found a potential security threat in mlDonkey 1.16. I
have written another description of the problem to one of the developers
(including hashes for the file), because i don't wanted to post hashes/and or
I just finished some download and commited the files using the "commit"
command. This was the filename as it was shown in the web-interface:
Downloaded 2 files [ Num ] File Size MD4
[3 ] some-scvd.bin 800000000 SOME_LENGTHY_MD4_CHECKSUM
After commiting, i looked into the incoming directory, and noticed that
mldonkey created a subdirectory, containing a single file:
fli4l:/mnt/hda4/incoming/ed2k # tree
1 directory, 1 files
So mldonkey seems to have created a subdirectory named
"Some_subdirectory_created_by_mldonkey_after_committing", containing a single
Is this the wanted behaviour? I'm afraid that this could be a potential
security threat, if the file would have been written to something like
"/root/i0wnzY0" or something like that..
I'm going to post this mail to the bug tracking forum, too (but without real
filenames and hashes).
Date: 2002-May-29 00:07 By: None
I don't think this is a security hole, btw if you run mldonkey as root it's
your own fault ;)
If you think it could write somewhere in the users home dir run it in a chroot
For detailed info, follow this link: