Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Hole in Morpheus

Posted by CmdrTaco on from the your-hard-drive-is-an-open-book dept.

Saint Aardvark writes: "The BBC reports that they've been contacted by a group claiming to be able to copy any file off some Morpheus user's hard drives. Apparently a bug allows for a great deal more file-sharing for some users of the software than intended ..." Man this thing got submitted a lot. I've never actually seen Morpheus, but apparently a lot of readers have! There really isn't a lot of information except that if you're running Morpheus, you might as well consider your hard drive world readable ;)

8 of 264 comments (clear)

  1. fastrack by minus_273 · · Score: 2, Insightful

    it just seems to mention morpheous.. what bout fast track and Kaaza which use the same technology.
    all the more reason to use GIFT's open network
    http://gift.sourceforge.net/

    --
    The war with islam is a war on the beast
    The war on terror is a war for peace
  2. IS this FUD or what? Possibly... by sker · · Score: 2, Insightful

    What a lack of details in this story! It could have - but I dont suggest it as been - penned by the RIAA.

    The quote, "It's definitely an accident from Morpheus' side, probably a worm. This is very dangerous," contributed by some anonymous figure is a buzzword-injected contradiction. A worm is the opposite of an accident. It seems unlikely that would be the sort of comment from an informed source.

    This story may turn out to be true, but they could not be any lighter 1) details 2) qualified sources.

    --
    nonsig. unsig. desig.
  3. Unsubstatiated Rubbish by Akardam · · Score: 2, Insightful

    I want to see this independantly verified. A short article from one news source that is no more than a bunch of one sentance paragraphs, most of which explain what Morpheus is and some other info about Napster, is not proof.

    FWIW, I use Morpheus quite a bit (always using FairTunes if I keep the song), and I haven't had any problems with it, not spyware, not this, not anything; and I will continue to use it until I see confirmation from at least one other source.

    On the other hand, who knows? Maybe the "Concerned Party" just happens to be paid by one of the **AA's? Think about it. They tell a news org about this "hole" they've discovered, saying, "It's dangerous! Don't use it!", with no proof that would convince even your slightly above average user. Now, us geek types might not flinch, but a whole lot of others out there might. Oh well, just my 2c US.

  4. Re:how to protect yourself by kc8apf · · Score: 2, Insightful

    I know this is pretty obvious, but if everyone turns off sharing of files, then nothing will be available to download.

    --
    kc8apf
  5. Re:ARTICLE IS FALSE by WolfWithoutAClause · · Score: 2, Insightful

    Did you try every possible file path, including '..' embedded CRs etc. etc.

    Somehow I suspect you've missed soemthing...

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"
  6. Uh oh! Security Hole! by cscx · · Score: 3, Insightful
    After close inspection, I have found this security hole to also exist in Apache Web Server, Microsoft Internet Information Server, ProFTPD, and wu-ftpd, along with various Windows FTP servers.

    It's called "being an friggin idiot and setting the server root to /". However, just like Morpheus and Kazaa, it only takes place under special conditions, notably when "Directory Browsing" is turned on in Apache, called "Virtual Directory Browsing" in IIS.

    This bug, previously encountered before, is casually referred to as the "idiot-moron exploit." Tell me you've never seen .doc files shared on WinMX, et al before. Of course for Apache, IIS, etc, your file permissions have to be set correctly... However, Kazaa runs as the current user, so it only has access to whatever the current user does.... SHARING EXPLICITLY WHAT IS IN THAT DIRECTORY! So, say, for example, I "accidentally" place naked_picture_of_my_cute_girlfriend.jpeg in "My Shared Folder".... It's not a freakin' bug if someone has access to that!

    Kazaa has always used HTTP as its protocol, and this "interface", should you call it, it probably what it uses to get that respective user's database of files. Duh. Click on them, and look at all their files in Kazaa, or use a web browser. Hardly a difference. Unless of course the docroot is C:\. But then again, is that an exploit??? This is ridiculous. Please Slashdot, check the validity of the articles before posting!! :)

  7. The real security hole. by red_gnom · · Score: 2, Insightful

    The only security hole is the hole in the brain of the person who created the article :-)

  8. Re:Slashdot Not Newsworthy by Rubbersoul · · Score: 2, Insightful

    Not trying to troll here but man (or women) if you don't like the quality then leave. That is the joy of living in world were you can make decisions. If you do decide to say though then don't complain about it because that just seems counterproductive no don't it

    --
    man .sig
    No manual entry for .sig.