Oh dear god you idiots! If this is a security hole, then being able to HTTP to port 80 on a public web server and see their index page is one too! Goddamn, you retards should be prohibited from using any technology more complex than an abacus!

Also, the supposed 'morpheus employee' who posted above is guilty of fraud, there is no such employee.....yeesh, PT Barnum was 101% right

the let you download everything in the share folder. ZoneAlarm Pro can stealth it but you have to go to security, advance, internet zone custom setting and under the medium setting block incoming and outgoing port 1214, and set the security to medium. Try it and see if it stealthed.

It seems this "hole" doesn't actually let you download anything... just a list of the shared files. What's the big deal? This is such a non issue.

Go here to get around the port blocks ISP's or School admins set up :
www.musiccity.smokekaya.com , then to the downloads to get the HTTP-Tunnel.

This allows you to tunnel the port and get around a block.
enjoy :)

The above post as " FROM: PAUL SARSFIELD, MORPHEUS"
is a FAKE being posted all over discussion boards by lamers attempting to defame MusicCity IRC Ops and the Morpheus Program itself. Pauls 'Gamer' real response can be seen here: http://www.gamerspage.com/morpheus.htm

-FROM: PAUL SARSFIELD, MORPHEUS-

REGARDING THE BBC NEWS ARTICLE ON THE SECURITY HOLE FOUND IN MUSICCITY MORPHEUS:
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1798000/1798095.stm

Yes. We have confirmed the reports that Morpheus does indeed contain the security hole. Our programmers are working diligently on a fix and we hope to have it ready within the week. We have found that the exploit does in fact allow a malicious user to gain access to the root level of the Morpheus user's C:\ drive and therefore gain write access to private files on the user's entire system, not just the shared folder.

We have determined that the reason why only some systems are affected, is that the flaw does not seem to work on Windows XP systems. We believe this is due to the fact that XP uses the NTFS file system and has security settings in effect. Windows98, 95, and WinME systems are vulnerable.

(Note: Although it will sometimes run, Morpheus is not recommended for Windows XP due to additional problems with compatibility. WIndows XP compatibility is expected in our future 2.0 release this spring.)

The Kazaa program, and Grokster which share the same code, are also affected. We apologize for any inconvenience this has caused you and we assure you we are working as fast as we can to arrive at a solution. We will post the security fix on the Grokster site where we have posted another security tool, at the following url: http://www.grokster.com/virusinformation.html

We hope to provide you with the best filesharing program out there and we assure you that we will have the issue taken care of shortly.

Thank you,
-Paul Sarsfield,
Tech Support
MusicCity Morpheus

"Gamer" MusicCity Op
Email: gamer@gamerspage.com
email for more details.

I am behind router/firewall using NAT, when I browse morphues shares it crashes everytime cuz other machine on the network is running morphues to. IT only crashes if you browse other users files. I have foolded around with this a bit I believe it has to do with using NAT. not trying to reinvent the wheel just wanted to know if anyone else knows bout this.

hehe chaos knot...good one! so true...just plainly look at the so called problem and you will see there is no problem..logically

Originally Posted by ncsusokr
I know of the sercurity hole....my shcool has decided to block the port \'1214\' on our firewall to deny access to morpheus.

My question to anyone is: Is there a registry tweak that would or could change the physical address of the port, like maybe to \'1213\' or \'1215\' If this was available then anyone could get around a firewall block

i wanted 2 know if ther ewas a Way to ConnecT Morpheus thru the university Firewall ..
i got wa way to make MSN conenct using HTTP tunnel.
but in Morpheus there is no socks 4 ..but ony 5 .
Cya

Who ever posted this is probably an overly paranoid person who thinks they know alot about the internet and how things work. It is true that you could view the contents through a web browser but only the folders actually set to be shared on morpheus. Anyways you can't even modify the files from another computer using this so called "security hole". The only security hole here is the hole in your head.

I just tried on my win2k PC (localhost:1214): I can see all the files I share, but it's OK, since my mopheus ic configured do share a directory...
the only problem is that I don't see the name of the user downloading from my PC, but the maximum nuber of download is respected.

Gerbil #17 clearly fails to grasp the meaning of "security issue"...

What is wrong with you guys? The reason ZoneAlarm lets the files out on that port is that a) the Morpheus server applet is running in the background, and b) you have ALREADY told ZoneAlarm to allow responses out that port!

That's all ANY firewall would be required to do, and of course ZoneAlarm goes one better by restricting it by application.

Again, the application, Morpheus server, is the same! There is NO security issue here at all!

Geoff "Microsoft is Good, People" Gasior continues to impress with his weighty grasp of issues.

This may be going back a bit, but if you have an old copy of ATGuard 3.22 (don't quote me on the version number), you should be able to create a custom firewall rule. Maybe ConSeal??

One of the reasons to be VERY worried about this, if you use the tool, is that the RIAA attack dogs are scanning for shares with copyrighted material on them and getting ISPs to kick or suspend accounts.

Hallucinosis, AFIAK, it only allows one server behind the firewall, but it allows multiple players behind the firewall, without forcing them to have different hard-set ports.

There is a Kernel module, but I'm not sure how it works...
It has to have some way to identify which of the two servers, on a single outside IP firewall, the outside people are requesting. Perhaps Quake provides an identifier? MAC address?

Originally Posted by Chaos Knot
Duhh!!! Wake up...
You don\'t even need to find a users IP address to access the files in thier shared folder. Just right click on a file in your Morpheus search and select More from the same/user. It will show you everything that they have in the shared folder. If you don\'t want to allow access to the shared folder then just configure your firewall so that Morpheus will not act as a server. You can do the same by checking this option in Morpheus itself without changing your firewall settings.

Hallucinosis,

I thought there was a kernel module for ipchains that allowed you to run Quake servers behind the firewall?

Been a while since I looked at it, but I'm pretty sure it existed at one time. Also worked to allow multiple players on different machines through the firewall at the same time.

Originally Posted by LocalYokel
Right, the whole deal is that its protocol is HTTP, and thus, it plays nice with NAT and proxies.

Damage is right. Blocking port 1214 would be like blocking port 80 on a web server\'s firewall -- it would be more secure, but of course that\'s because you made the service unavailable. What this is really about is whether you want to allow directory browsing. This is a server configuration issue, and in the case of Morpheus, you (apparently) can\'t change it.

Certainly a real firewall that doesn't expose port 1214 won't be a problem. However, then sharing files on Morpheus probably wouldn't work.

ZoneAlarm doesn't involve any hardware, so I am wary of it. A firewall between your OS' HAL and the OS... If you're really concerned about firewalling yourself, as I'm sure you're all well aware, it's best to have a firewall that sits between your ethernet connection and your connection to the internet.

My IP Chains (Linux, running on a Pentium 133) firewall at home doesn't let you establish incoming connections.
For instance, I can't host a Quake3 server unless I redirect the port to the machine inside the firewall, thereby allowing for incoming connections.

I wonder if the problem doesn't exist for people with good firewalls.

Originally Posted by LocalYokel
I think it is just bad programming design. In a server application, especially of this nature, it seems to me that it would be much smarter to reject any request that doesn\'t fit a very narrow set of conditions.

So the news here is:

Morpheus shares files of your choosing on port 1214 using the HTTP protocol. Thus, it's (sometimes?) possible to access those shares with a web browser, and to do so without first accessing the Morpheus network.

Wow. That was a lot easier than reverse engineering Napster.

Still, it's no real security "hole." It's just a file share. And sharing files is what Morpheus is supposed to do.

Originally Posted by dissonance
The only boxes I was able to connect to are random ones on the net, so I don\'t know if a firewall is running.

The big deal is, there\'s an obvious hole here of some kind. Whether or not we can do nasty things with it is not quite as important as whether or not there are people out there who could easily exploit such a hole.

Originally Posted by athakur999
dissonance, do you have local firewall running or anything? I\'m trying this on my work PC which doesn\'t have any local firewall software on it (that I\'m aware of, anyway).

In other news, I found a large file and tried downloading it from Morpheus through IE. It showed up in the Morpheus traffic window and I hit \"Cancel\" on it. The IE download then cancelled, so apparently that works correctly. I\'d imagine the upload limits would apply then too.

Anyway, I\'ll agree with AG#3. So friggin\' what? The only files you can see are ones being shared anyway. And (at least from what I\'ve seen) you still have control over the transfers. If you could see non-shared files, then THAT would be a problem :)

sigh... my reply got axed when i hit the post button...

Quick version. So friggin' what?

Originally Posted by dissonance
Ok, that\'s weird, I tried it locally from an NT 4 server box, and couldn\'t see anything.

Originally Posted by athakur999
Tried it locally on my NT4 box, and was able to see the files from IE. I haven\'t tried from another computer or from outside my company\'s firewall.

The downloads DO show up in my \"Traffic\" window for me, however. Because I\'m doing this locally they get finished too quickly for me to see if the upload limits work or if I can cancel them from Morpheus.

If this is the general behaviour and the upload limits apply, I don\'t see what the problem is. This just lets you see all the files that user is sharing, which was one of the nicer features of Napster. I found lots of new music to listen to by searching for a song I knew about, then looking at what else that person had available.