Security Hole in Morpheus

Saint Aardvark writes: "The BBC reports that they've been contacted by a group claiming to be able to copy any file off some Morpheus user's hard drives. Apparently a bug allows for a great deal more file-sharing for some users of the software than intended ..." Man this thing got submitted a lot. I've never actually seen Morpheus, but apparently a lot of readers have! There really isn't a lot of information except that if you're running Morpheus, you might as well consider your hard drive world readable ;)

Uh oh! Security Hole!

[cscx]

After close inspection, I have found this security hole to also exist in Apache Web Server, Microsoft Internet Information Server, ProFTPD, and wu-ftpd, along with various Windows FTP servers.

It's called "being an friggin idiot and setting the server root to /". However, just like Morpheus and Kazaa, it only takes place under special conditions, notably when "Directory Browsing" is turned on in Apache, called "Virtual Directory Browsing" in IIS.

This bug, previously encountered before, is casually referred to as the "idiot-moron exploit." Tell me you've never seen .doc files shared on WinMX, et al before. Of course for Apache, IIS, etc, your file permissions have to be set correctly... However, Kazaa runs as the current user, so it only has access to whatever the current user does.... SHARING EXPLICITLY WHAT IS IN THAT DIRECTORY! So, say, for example, I "accidentally" place naked_picture_of_my_cute_girlfriend.jpeg in "My Shared Folder".... It's not a freakin' bug if someone has access to that!

Kazaa has always used HTTP as its protocol, and this "interface", should you call it, it probably what it uses to get that respective user's database of files. Duh. Click on them, and look at all their files in Kazaa, or use a web browser. Hardly a difference. Unless of course the docroot is C:\. But then again, is that an exploit??? This is ridiculous. Please Slashdot, check the validity of the articles before posting!! :)