Musicmatch Jukebox Absolute Path Specification Weakness

Bugtraq ID:	13173
Class:	Design Error
CVE:
Remote:	No
Local:	Yes
Published:	Apr 14 2005 12:00AM
Updated:	Apr 14 2005 12:00AM
Credit:	Discovered by Hyperdose Security <[email protected]>.
Vulnerable:	Musicmatch Inc. Musicmatch Jukebox 10.0.2047 Musicmatch Inc. Musicmatch Jukebox 9.0.5059
Not Vulnerable:

Musicmatch Jukebox Absolute Path Specification Weakness

Musicmatch Jukebox does not use absolute paths to call applications. This could cause the application to execute an arbitrary file due to path precedence. An attacker would have to combine this weakness with a vulnerability that would allow some malicious application to be saved to a specific location on the file system.

Musicmatch Jukebox Absolute Path Specification Weakness

An exploit is not required.

Musicmatch Jukebox Absolute Path Specification Weakness

Solution:
Musicmatch has released new versions of Jukebox that address this issue.


Musicmatch Inc. Musicmatch Jukebox 10.0.2047

• Musicmatch Jukebox
  http://www.musicmatch.com/download/free/security.htm

Musicmatch Inc. Musicmatch Jukebox 9.0.5059

• Musicmatch Jukebox
  http://www.musicmatch.com/download/free/security.htm

Musicmatch Jukebox Absolute Path Specification Weakness

References:

• Musicmatch Home Page (Musicmatch)
  
• Musicmatch Jukebox Security Updates FAQ (Musicmatch)
  
• Trojan file issue in Musicmatch software ("Hyperdose Security" )