Subject: [UNIX] Knapster and Gnapster allow local file access
Date: Tue, 16 May 2000 20:00:38 +0200
From: support@securiteam.com


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

          Knapster and Gnapster allow local file access
--------------------------------------------------------------------------------

SUMMARY

Various open source clones of the Napster software package suffer from a
dangerous vulnerability where remote users may view files on a machine
running a vulnerable Napster clone client. The file access is limited to
files accessible by the user running the client; the official commercial
version of Napster does not contain this vulnerability.

DETAILS

Vulnerable systems:
John Donoghue's Knapster 0.9
Josh Guilfoyle's Gnapster 1.3.8

Patch:

1) John Donoghue Knapster 0.9:
 <http://knapster.netpedia.net/#DOWNLOAD>
http://knapster.netpedia.net/#DOWNLOAD

2) Josh Guilfoyle Gnapster 1.3.8:
 <http://download.sourceforge.net/gnapster/gnapster-1.3.9.tar.gz>
http://download.sourceforge.net/gnapster/gnapster-1.3.9.tar.gz

ADDITIONAL INFORMATION

The information has been provided by:  <mailto:earlyjp@cs.purdue.edu> Jim
Early and  <mailto:daniels@cerias.purdue.edu> Tom Daniels.

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.