Full Disclosure mailing list archives
Soulseek gives malicious users access to sensitive files
From: full-disclosure () lists netsys com (Lou Rinaldi)
Date: Mon, 22 Jul 2002 10:09:37 -0400 (EDT)
In much the same way that various search engines are increasingly stumbling upon passwords, credit card numbers, and other classified documents, the file sharing application known as Soulseek seems to allow similarly unrestricted searching. This isn't necessarily a design flaw, but likely yet another case of potential client-side misconfiguration opening unintended holes. Presumably, the solution (as with other programs of this type) would be for the user to manually limit access only to certain directories (under Options, File Sharing Configuration). However, putting the onus on the end user is a bad idea, as we've previously seen with the WinGate fiasco. I tried a fresh install accepting all defaults, just to see what drives and/or directories get shared by default. Unfortunately, the Soulseek server is currently down, and the program requires a connection and account setup before it gets to the directory selection stage. So I have no way to determine if sensitive information could potentially be shared as part of a default installation. Regardless, this probably warrants attention from users of the program, and network administrators alike. see http://www.soulseek.org/ -- Louis J. Rinaldi / Sr. Unix SysAdmin / Trilegiant Corp. / (203) 416-2389 "I'm just here for the gasoline." - Mad Max 2: The Road Warrior The information in this electronic mail message is Trilegiant Confidential and may be legally privileged. It is intended solely for the addressee(s). Access to this Internet electronic mail message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The sender believes that this E-mail and any attachments were free of any virus, worm, Trojan horse, and/or malicious code when sent. This message and its attachments could have been infected during transmission. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective and remedial action about viruses and other defects. Trilegiant Corporation is not liable for any loss or damage arising in any way from this message or its attachments.
Current thread:
- Lets get on-topic Michael Anuzis (Jul 20)
- Lets get on-topic Nicola Fankhauser (Jul 20)
- Lets get on-topic Steve (Jul 22)
- Soulseek gives malicious users access to sensitive files Lou Rinaldi (Jul 22)
- Lets get on-topic Steve (Jul 22)
- Lets get on-topic Nicola Fankhauser (Jul 20)