However, this allows one to bypass the normal restrictions of the program. If I kept getting put on the "Remotely Queued" list for an item, I could point my browser at the person sharing the file. Then I could download the file w/o the user knowing. I put restrictions of bandwidth and number of users because I have a limited upload speed. This allows one to bypass that restriction. I believe this hole was revealed back in September sometime on this list because I remember it...I remember showing my friends this bug to alert them to it. -Colby -----Original Message----- From: HarryM [mailto:harrym@the-group.org] Sent: Monday, February 04, 2002 2:43 AM To: Blue Boar; Kartik Shinde Cc: vuln-devat_private Subject: Re: Reported Kazaa and Morpheus vulnerabilities > Well, I think that's what the original poster was getting at. Anyone > here tried the usual .. bugs and so on? (Either successfully or not, > we'd like to know.) > Exactly. The BBC article claims that someone has, but there's no mention of it on CERT or Securityfocus. I mean obviously if there is one it may not have been posted about.. But I thought someone might have heard something. Certainly simple things such as appending /../ or /..../ to the end of the url don't work, but those funky numeric folder names must mean something. Harry M
This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 19:43:28 PST