COMMAND

    BearShare

SYSTEMS AFFECTED

    BearShare 2.2.2 and prior (Windows 95/98/ME) with its Web Site feature enabled

PROBLEM

    Aviram  Jenik  found  following.   BearShare  is  a  Windows  file
    sharing program from Free Peers, Inc. that lets you, your friends,
    and  everyone  in  the  world  share  files.   A  serious security
    vulnerability in the product  allows remote attackers to  download
    any file on the  local disk, even if  it hasn't been added  to the
    shared list.

    A security vulnerability in  BearShare allows remote attackers  to
    access  files  that  reside  outside  the  upload root provided by
    BearShare.   This would  allow a  remote attacker  to download any
    file without  restrictions.   The vulnerability  resides in  their
    BearShare's Web Site feature.

    BearShare  has  provided  protection  against  the  classic dotdot
    ('..') attack, but  they did insufficient  filtering, and thus  it
    is possible  to chain  together a  large amount  of dots bypassing
    the  standard  protection.   This  attack  does  not  seem to work
    against Windows 2000 machines, and also not all file types can  be
    downloaded  (for  example,  .avi  and  .mpg  files  will  not   be
    downloaded).  The vendor has not provided information about  which
    platforms are vulnerable and which file types can be downloaded.

    Example:

        http://vulnerable:6346/........../windows/win.ini

    This would download the win.ini file from the windows directory.

SOLUTION

    Vendor has released a new version that fixes this problem.  Users
    are encouraged to download and install it as soon as possible.

    Disabling  BearShare's  Web  Site   feature  would  prevent   this
    vulnerability from happening and is generally recommended.