| VID |
27342 |
| Severity |
30 |
| Port |
6346 |
| Protocol |
TCP |
| Class |
P2P |
| Detailed Description |
The LimeWire P2P program is vulnerable to multiple vulnerabilities which exist in versions 4.6.0 and earlier. LimeWire is a P2P file sharing program. LimeWire versions 4.6.0 and earlier are vulnerable to a file disclosure vulnerability and a directory traversal vulnerability. By sending a specially-crafted GET request in the form of /gnutella/res/[filename] or HTTP magnet request containing "dot dot" sequences (/../), a remote attacker could traverse directories and read arbitrary files on the affected host.
* References:
http://archives.neohapsis.com/archives/bugtraq/2005-03/0225.html
http://secunia.com/advisories/14555/
http://www.gentoo.org/security/en/glsa/glsa-200503-37.xml
* Platforms Affected:
LimeWire versions 4.6.0 and earlier
Any operating system Any version |
| Recommendation |
If P2P file sharing program is not allowed at your organization, uninstall the program.
-- OR --
Upgrade to the latest version of LimeWire (4.8 or later), available from the LimeWire Web site at http://www.limewire.com/english/content/home.shtml |
| Related URL |
CVE-2005-0788,CVE-2005-0789 (CVE) |
| Related URL |
12802 (SecurityFocus) |
| Related URL |
19693,19695 (ISS) |
|
