Full Disclosure mailing list archives
Soulseek gives malicious users access to sensitive files
From: full-disclosure () lists netsys com (Stuart Moore)
Date: Fri, 26 Jul 2002 11:48:18 -0400
I tried a fresh install accepting all defaults, just to see what drives and/or directories get shared by default.
Hi. The Soulseek vendor responded that Soulseek does not share anything by default. But, the vendor mentioned that version 135 and prior versions contained a bug. If you chose to share a directory, and then subsequently choose to 'unshare' one of its subdirectories, the newly 'unshared' subdir may inadvertently become re-shared. This has reportedly been corrected in version 136. We've written an alert on the topic: http://securitytracker.com/alerts/2002/Jul/1004819.html Stuart ========================================================== Lou Rinaldi wrote: In much the same way that various search engines are increasingly stumbling upon passwords, credit card numbers, and other classified documents, the file sharing application known as Soulseek seems to allow similarly unrestricted searching. This isn't necessarily a design flaw, but likely yet another case of potential client-side misconfiguration opening unintended holes. Presumably, the solution (as with other programs of this type) would be for the user to manually limit access only to certain directories (under Options, File Sharing Configuration). However, putting the onus on the end user is a bad idea, as we've previously seen with the WinGate fiasco. I tried a fresh install accepting all defaults, just to see what drives and/or directories get shared by default. Unfortunately, the Soulseek server is currently down, and the program requires a connection and account setup before it gets to the directory selection stage. So I have no way to determine if sensitive information could potentially be shared as part of a default installation. Regardless, this probably warrants attention from users of the program, and network administrators alike. see http://www.soulseek.org/
Current thread:
- Soulseek gives malicious users access to sensitive files Stuart Moore (Jul 26)