However, this allows one to bypass the normal restrictions of the
program. If I kept getting put on the "Remotely Queued" list for an
item, I could point my browser at the person sharing the file. Then I
could download the file w/o the user knowing. I put restrictions of
bandwidth and number of users because I have a limited upload speed.
This allows one to bypass that restriction. I believe this hole was
revealed back in September sometime on this list because I remember
it...I remember showing my friends this bug to alert them to it.
-Colby
-----Original Message-----
From: HarryM [mailto:harrym_at_the-group.org]
Sent: Monday, February 04, 2002 2:43 AM
To: Blue Boar; Kartik Shinde
Cc: vuln-dev_at_securityfocus.com
Subject: Re: Reported Kazaa and Morpheus vulnerabilities
> Well, I think that's what the original poster was getting at. Anyone
> here tried the usual .. bugs and so on? (Either successfully or not,
> we'd like to know.)
>
Exactly. The BBC article claims that someone has, but there's no mention
of
it on CERT or Securityfocus. I mean obviously if there is one it may not
have been posted about.. But I thought someone might have heard
something.
Certainly simple things such as appending /../ or /..../ to the end of
the
url don't work, but those funky numeric folder names must mean
something.
Harry M
Received on Feb 08 2002
Intro
