lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.BSF.4.43.0207220947240.35725-100000@mcfeely.oakview.cuc.com>
From: rinaldi at trilegiant.com (Lou Rinaldi)
Subject: Soulseek gives malicious users access to sensitive files

In much the same way that various search engines are increasingly
stumbling upon passwords, credit card numbers, and other classified
documents, the file sharing application known as Soulseek seems to allow
similarly unrestricted searching. This isn't necessarily a design flaw,
but likely yet another case of potential client-side misconfiguration
opening unintended holes.

Presumably, the solution (as with other programs of this type) would be
for the user to manually limit access only to certain directories (under
Options, File Sharing Configuration). However, putting the onus on the end
user is a bad idea, as we've previously seen with the WinGate fiasco.

I tried a fresh install accepting all defaults, just to see what drives
and/or directories get shared by default.  Unfortunately, the Soulseek
server is currently down, and the program requires a connection and
account setup before it gets to the directory selection stage. So I have
no way to determine if sensitive information could potentially be shared
as part of a default installation. Regardless, this probably warrants
attention from users of the program, and network administrators alike.

see http://www.soulseek.org/

-- 
Louis J. Rinaldi / Sr. Unix SysAdmin / Trilegiant Corp. / (203) 416-2389
 "I'm just here for the gasoline."	  - Mad Max 2: The Road Warrior

The information in this electronic mail message is Trilegiant Confidential
and may be legally privileged. It is intended solely for the addressee(s).
Access to this Internet electronic mail message by anyone else is
unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution or action taken or omitted to be taken in reliance
on it is prohibited and may be unlawful.

The sender believes that this E-mail and any attachments were free of any
virus, worm, Trojan horse, and/or malicious code when sent. This message
and its attachments could have been infected during transmission. By
reading the message and opening any attachments, the recipient accepts
full responsibility for taking protective and remedial action about
viruses and other defects. Trilegiant Corporation is not liable for any
loss or damage arising in any way from this message or its attachments.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ