Subject: [UNIX] Knapster and Gnapster allow local file access Date: Tue, 16 May 2000 20:00:38 +0200 From: support@securiteam.com The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com Knapster and Gnapster allow local file access -------------------------------------------------------------------------------- SUMMARY Various open source clones of the Napster software package suffer from a dangerous vulnerability where remote users may view files on a machine running a vulnerable Napster clone client. The file access is limited to files accessible by the user running the client; the official commercial version of Napster does not contain this vulnerability. DETAILS Vulnerable systems: John Donoghue's Knapster 0.9 Josh Guilfoyle's Gnapster 1.3.8 Patch: 1) John Donoghue Knapster 0.9: <http://knapster.netpedia.net/#DOWNLOAD> http://knapster.netpedia.net/#DOWNLOAD 2) Josh Guilfoyle Gnapster 1.3.8: <http://download.sourceforge.net/gnapster/gnapster-1.3.9.tar.gz> http://download.sourceforge.net/gnapster/gnapster-1.3.9.tar.gz ADDITIONAL INFORMATION The information has been provided by: <mailto:earlyjp@cs.purdue.edu> Jim Early and <mailto:daniels@cerias.purdue.edu> Tom Daniels. DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.