MLdonkey 2.9.7 - Arbitrary File Disclosure

Author: Michael Peselnik
type: remote
platform: multiple
port: 
date_added: 2009-02-22 
date_updated: 2017-02-14 
verified: 1 
codes: OSVDB-52291;CVE-2009-0753 
tags: 
aliases:  
screenshot_url:  
application_url: 

MLdonkey (up to 2.9.7) has  a  vulnerability  that allows remote user to access any
file   with   rights   of  running  Mldonkey  daemon  by  supplying  a
special-crafted  request  (ok,  there's  not much special about double
slash) to an Mldonkey http GUI (tcp/4080 usually).

Reference:
https://savannah.nongnu.org/bugs/?25667

Thus, the exploit would be as simple as accessing any file on a remote
host with your browser and double slash:

http://mlhost:4080//etc/passwd

# milw0rm.com [2009-02-23]