LIMEWIRE BUGS

In the course of implementing Credence, we found two critical vulnerabilities in the popular LimeWire client. The links below describe these problems:

• Logo-image port vulnerability (Affects versions 4.1.2 - 4.5.6, inclusive)
• Magnet port vulnerability (Affects versions 3.9.6 - 4.6.0, inclusive)

The vulnerabilities allow anyone on the network to read any file on a machine that is connected to the Gnutella network with the LimeWire client. The first vulnerability can be exploited even if the host is behind a firewall. A simple telnet client is sufficient to take advantage of these vulnerabilities.

We contacted LimePeer on February 26, 2005 with a description of these problems. LimeWire responded immediately and had a patch ready within a few hours. They were very responsive, forthright, and diligent; the patch completely addresses these problems. If you are a LimeWire user, please UPDATE YOUR CLIENT to Credence 1.2 or LimeWire 4.8.0 (or above)!!!