CVE-2009-0753

mldonkey 2.8.4-2.9.7 - Path Traversal via Leading Double Slash

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-0753. PoCs published by Michael Peselnik.

AI-analyzed exploit summary The exploit leverages a directory traversal vulnerability in MLdonkey's HTTP GUI (tcp/4080) by using a double slash (//) to bypass path sanitization, allowing unauthorized access to arbitrary files on the system. The PoC demonstrates this by fetching /etc/passwd via a crafted HTTP request.

Description

Absolute path traversal vulnerability in MLDonkey 2.8.4 through 2.9.7 allows remote attackers to read arbitrary files via a leading "//" (double slash) in the filename.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Michael Peselnik · textremotemultiple

https://www.exploit-db.com/exploits/8097

View Code ZIP pw:eip

The exploit leverages a directory traversal vulnerability in MLdonkey's HTTP GUI (tcp/4080) by using a double slash (//) to bypass path sanitization, allowing unauthorized access to arbitrary files on the system. The PoC demonstrates this by fetching /etc/passwd via a crafted HTTP request.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: MLdonkey up to 2.9.7

No auth needed

Prerequisites: Network access to the MLdonkey HTTP GUI (typically tcp/4080) · MLdonkey daemon running with insufficient path sanitization

MITRE ATT&CK