Gnutella Forums - Security Failure: LW Installer creates "hidden" store for untrusted users

The limewire installer includes the following code in its postflight script:

Code:

echo "Copying LimeWire.dmg to network share."

if [ "free" == "free" ]; then

    if [ -f ~/Desktop/LimeWireOSX.dmg ]; then

        mkdir "$2/Applications/LimeWire/LimeWire.app/Contents/Resources/Java/.NetworkShare"

        chmod a+rw "$2/Applications/LimeWire/LimeWire.app/Contents/Resources/Java/.NetworkShare" 

        cp ~/Desktop/LimeWireOSX.dmg "$2/Applications/LimeWire/LimeWire.app/Contents/Resources/Java/.NetworkShare/LimeWireOSX4.10.9.dmg"

        chmod a+rwx "$2/Applications/LimeWire/LimeWire.app/Contents/Resources/Java/.NetworkShare/LimeWireOSX4.10.9.dmg"

    fi

fi

This code is ... nice(?) in that it makes the latest version of LimeWire available on the network, but it also raises some concerns: First, this is a hidden network share. I've never seen it in preferences. Second, it explicitly makes this directory WORLD WRITABLE, which means that any user on the machine can share things on limewire whenever *any* user is running limewire, *and* it is inside the app bundle, so a malicious user can "hide" file there, that will appear to be part of LimeWire.app.

Aside from not asking if I want to have a hidden share directory, this can be abused to hide file on a user's system. In face, it is *designed* to hide files, specifically the limewireOSX.dmg file!

JP