Security issue in Scour client

[jmp () PEAK ORG (Jmp)]

OVERVIEW: Scour (www.scour.net) is a file sharing client much like
Gnutella and Napster. Scour provides a search engine that is devoted to
searching the Scour Community or the web for multimedia files. Use is
simple: setup a folder where you download files to and specify folders to
share with the rest of the Scour community. The client is coded so that it
only returns back multimedia files (mp2,mp3,,vivo,ra,mpeg,etc.) when
one browses another user's shared files. Also no wildcards are supported
and only file formats hard coded into the client can be
searched/viewed/downloaded.

PROBLEM: A person already has read access to the shared folders on
someone's machine using scour. The file format restrictions can easily be
circumvented, since as stated above, they are all hard coded into the
client. At present Scour has only released a Win32 client (as well as a
user provided perl client), and it is trivial to use a hex editor and
simply replace eg. MP2 with FOO or MOO (use your imagination here) or any
other file type. Once this is done, the client allows for the user to
search for those file types (apparently no CRC checking is done to detect
if the binary has been modified or not). This would normally not be a
problem, however I have seen quite a few users who share their WINDOWS/ or
PROGRAM FILES/ (i.e. sensitive) directories thinking that another user
will not be able to download anything else.  Thus there are quite a few
people out there who are lulled into a false sense of security. A person
also need not bother with having to hex edit the binary since Scour has
released it's protocol

http://www.scour.net/Software/Scour_Exchange/stp-1.0pre6.html

thus making it quite easy for anyone who knows how to code and work with
sockets, to create their own client. He/she could then quite easily
implement and allow for any and all files to be searched/downloaded.

I have written to Scour over a month ago concerning this. Their first (and
last) email simply asked me how this was a problem. I replied back and
wrote to them again two weeks ago telling them that the ball was in their
court and if they didnt fix the issue (which they still havent) or atleast
put out an advisory I would post to bugtraq so other Scour users could
protect themselves.

WORKAROUND: I suggested to Scour that they implement filters on their
server itself so that only the file types they specified could be searched
and downloaded. However I dont know when and if that's going to be
happening. So until then I strongly suggest Scour users to get a LOT more
picky about which folders they wish to share since a person can see and
get anything and everything in those folders.

My reason for releasing this information is so that Scour users can
protect themselves. I felt it was better if this became public knowledge
since I'm quite sure that if I found this little bug, other people
would have as well. Hopefully now Scour will fix this now that it's out in
the open.

Cheers!

Jmp