Potential security hole in Morpheus

— 12:52 PM on August 2, 2001

Music City's popular new file sharing program, Morpheus, appears to have a bit of a security problem. According to a file sharing messageboard, the hole allows you to browse Morpheus shares on a computer with any old web browser - all you need to know is the IP of the computer running Morpheus. Fire up your web browser to http://ip_address_of_machine:1214, and you've got a listing of all that machine's Morpheus shares. TR reader J. Courtney writes:

A few of my friends were able to load my shares in a browser and download them.This penetrated an up to date firewall (ZoneAlarm Pro) set to high security (and solidly,stealthed ports).The Morpheus application gives no indication of the upstream activity.

Its pretty alarming to think that anyone and everyone can surreptitiously access your files with just an ip and a browser, no control over the number of connections.

This looked to be rather a big deal, so I tested it out. What I can tell you is that this doesn't work under NT 4, and I would assume Windows 2000. That's all I have on any of the machines I was able to set up Morpheus on. However, armed with a fistful of random IPs of Morpheus users, I was able to connect to several computers using just a web browser. My guess is these machines are running Win9x, and that has something to do with the vulnerability.

Unfortunately, I have no way of knowing if any of these machines are firewalled. In any case, it might be a good idea to test this out yourself to see if your Morpheus file shares are vulnerable.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.