Pretty serious issues (Winamp maintainers plz read)

[|LDR|aDa]

Dunno how to say this, but if you get my hint, /pub/music is widely open.
No authentication whatsoever needed to gain acces to the root of the FS.

(Winamp Community authoritives please PM for details)

[Bilbo Baggins]

Say what?

[Russ]

Well, if you mean you can go here and download all the lovely DRMed licensed AOL goodness, then that is correct. And that's not a bug.

And if you mean you can go here and look at the wonderful, properly permissioned chrooted goodness of ftp27e.newaol.com, then you'd also be correct. But there's no vulnerability there (except that you can download all their music and videos, which is sort of the point...).

So in fact, there's not actually a problem at all.

[|LDR|aDa]

*blushes*

[Germ]

Aw Russ, you embarassed them. For shame for shame.

[|LDR|aDa]

I really should do more research before alarming everyone like that :P

[|LDR|aDa]

Nevertheless, youve got like
ftp25e
ftp25d
ftp25c
ftp25b

and the list goes on, all open and public FTP servers.

You are practically begging to be hacked.

And no, ive got no idea whatsoever what sequrity measures youve taken, but in my eyes something like this isnt the smartest thing to do.

[Russ]

They're only "open" insofar as you can see a directory listing of the public FTP root. These aren't small-time fileservers - these things serve software of the like of Netscape, Mozilla, Compuserve, AOL, as well as Winamp and have done for several years. If they were hackable it would have been done (and it hasn't).

[|LDR|aDa]

ftp.newaol.com is the main one, right?

[THEMike]

ftp.newaol.com would (probably) be a load balancer that will hand off download to one of a bunch of mirror servers as one server couldn't cope with the full load.

It'll do this on a round-robin, or load based algorithm. It will know which servers are up via a heart beat system probably.

If you're going to offer downloads of software, you need some kind of annon download, FTP is preferable to HTTP as download management is easier for users.

Thousands of companies on the web have open, public, FTP/HTTP download servers, some get hacked, most don't. It's not hard to have a protected, open FTP download for stuff like winamp.

Especialy when you are AOL.

[Agent007]

So, how'd u know about the FTP servers?

Quote:

Originally posted by |LDR|aDa
Nevertheless, youve got like
ftp25e
ftp25d
ftp25c
ftp25b

and the list goes on, all open and public FTP servers.

[InvisableMan]

when theres a /pub in the string then you know it's probably MEANT to be mostly wide open :P

[fwgx]

I often say the same about womens legs in my local too.

[ertmann|CPH]

OMG! OMG! OMG! another dane being lame

velkommen til vores lille sted på nettet iøvrigt, please enjoy your stay, watch out for Bilbo and all that jazz...

- Stefan

[bored154]

um... do you know what /pub stands for? it stands for "public"(sorry if im stating the obvious)

[added] oh ya and did you know theres UK Music too? http://ftp27e.newaol.com/pub/music/uk/ and you can go here also... http://ftp27e.newaol.com/pub/ [/added]

[added again]VIDEOS [/added again]

[|LDR|aDa]

Jo tak ertmann ... bor self i KBH.
/me joined Aug 2003

@agent007:
Lets say.... i was looking for more.
Ive been playing Uplink for too long now .)

[ertmann|CPH]

oh well, har bare aldrig set dig før...

[bored154]

Quote:

Originally posted by |LDR|aDa
@agent007:
Lets say.... i was looking for more.
Ive been playing Uplink for too long now .)

thats a fucking hacking tool!!!

[dlinkwit27]

it's a hacking game maybe, but not a tool.

[bored154]

did you look at their website? its a hacking tool.... it can hack into locked servers... find out who people are, find their records.... its a hacking tool....

[added] nm i looked in their forums... it says "Stuck in the game? come here" but it could be modified to be a hacking tool... [/added]

[Loveless]

well, in all fairness, notepad.exe can be a hacking tool. If he were malicious, he wouldn't have thought the things he thought and then come posted them in here. Odds are, anyway. There's no accounting for people.

[Russ]

Uplink isn't a hacking tool, it's a game which has very little to do with hacking/cracking in the real world.

Locking, this thread has run its course.

(I'm quite drunk)