COMMAND

    Scour

SYSTEMS AFFECTED

    Scour client

PROBLEM

    'Jmp' found following.  Scour (www.scour.net) is a file sharing
    client much like Gnutella and Napster.  Scour provides a search
    engine that is devoted to searching the Scour Community or the
    web for multimedia files.

    Use is  simple: setup  a folder  where you  download files  to and
    specify folders  to share  with the  rest of  the Scour community.
    The client is coded so that it only returns back multimedia  files
    (mp2,mp3,,vivo,ra,mpeg,etc.)  when  one  browses  another   user's
    shared  files.   Also  no  wildcards  are  supported and only file
    formats     hard     coded     into     the     client    can   be
    searched/viewed/downloaded.

    A  person  already  has  read  access  to  the  shared  folders on
    someone's machine using scour.   The file format restrictions  can
    easily be circumvented, since as  stated above, they are all  hard
    coded into the client.  At present Scour has only released a Win32
    client (as well as a user provided perl client), and it is trivial
    to use a  hex editor and  simply replace eg.  MP2 with FOO  or MOO
    (use your imagination here) or any other file type.  Once this  is
    done, the  client allows  for the  user to  search for  those file
    types (apparently no CRC checking is done to detect if the  binary
    has been modified or not).  This would normally not be a  problem,
    however we have  seen quite a  few users who  share their WINDOWS/
    or  PROGRAM  FILES/  (i.e.   sensitive)  directories thinking that
    another user  will not  be able  to download  anything else.  Thus
    there are  quite a  few people  out there  who are  lulled into  a
    false  sense  of  security.   A  person  also need not bother with
    having  to  hex  edit  the  binary  since  Scour has released it's
    protocol

        http://www.scour.net/Software/Scour_Exchange/stp-1.0pre6.html

    thus making it  quite easy for  anyone who knows  how to code  and
    work with sockets, to create  their own client. He/she could  then
    quite  easily  implement  and  allow  for  any and all files to be
    searched/downloaded.

SOLUTION

    Scour  should  implement  filters  on  their server itself so that
    only  the  file  types  they  specified  could  be  searched   and
    downloaded.  However it is uknown  when and if that's going to  be
    happening.  So until then it is strongly suggested to Scour  users
    to get a  LOT more picky  about which folders  they wish to  share
    since a person  can see and  get anything and  everything in those
    folders.