Re: KaZaA

From: Alex Lambert (alambert@webmaster.com)
Date: 10/18/02


From: "Alex Lambert" <alambert@webmaster.com>
To: "David Krum" <frobnitz@msn.com>, <bugtraq@securityfocus.com>
Date: Fri, 18 Oct 2002 15:55:57 -0500


Kazaa's IE control (at least in 1.7.x) seems to treat certain URLs
differently, too, which could pose a problem. For example,
http://localhost/KazaaSearchQuery performs a search (a form for this is
displayed on desktop.kazaa.com). Putting more than 272 bytes into the query
argument causes a crash; I haven't checked if it's posisble to run malicious
code with this.

apl
----- Original Message -----
From: "David Krum" <frobnitz@msn.com>
To: <bugtraq@securityfocus.com>
Sent: Friday, October 18, 2002 11:33 AM
Subject: KaZaA

> I'm concerned about all the applications which utilize ie browser
controls.
> There are a lot of adware programs with little ads. Some of these ads
have
> activex, java, flash, js. Any one of these capabilities in the wrong zone
> could be dangerous.
>
> My attention was first drawn to this when I noticed KaZaA launching popups
> sourced from the local hard disk. Surely these ads are running in the
local
> zone. To use software that does this I have to trust them to audit the
ads
> given to them?
>
> _________________________________________________________________
> Broadband? Dial-up? Get reliable MSN Internet Access.
> http://resourcecenter.msn.com/access/plans/default.asp
>
>