lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 19 Mar 2017 03:48:48 +0100
From: Thomas Deutschmann <>
To: Kyle Neideck <>,,
Subject: Re: [FD] Remote code execution via CSRF vulnerability in the web UI
 of Deluge 1.3.13

On 2017-03-05 07:22, Kyle Neideck wrote:
> Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13
> Kyle Neideck, February 2017
> Product
> -------
> Deluge is a BitTorrent client available from
> Fix
> ---
> Fixed in the (public) source code, but not in binary releases yet. See
> and
> Install from source or use the web UI from an incognito/private window until
> new binaries are released.
> Summary
> -------
> Deluge version 1.3.13 is vulnerable to cross-site request forgery in the Web UI
> plug-in resulting in remote code execution. Requests made to the /json endpoint
> are not checked for CSRF. See the "render" function of the "JSON" class in
> deluge/ui/web/
> The Web UI plug-in is installed, but not enabled, by default. If the user has
> enabled the Web UI plug-in and logged into it, a malicious web page can use
> forged requests to make Deluge download and install a Deluge plug-in provided
> by the attacker. The plug-in can then execute arbitrary code as the user
> running Deluge (usually the local user account).

I requested a CVE via MITRE web form and received the following ID:

> [Suggested description]
> CSRF was discovered in the web UI in Deluge 1.3.13. The exploitation
> methodology involves (1) hosting a crafted plugin that executes an
> arbitrary program from its file and (2) causing the
> victim to download, install, and enable this plugin.

> Use CVE-2017-7178.

Thomas Deutschmann / Gentoo Security Team
C4DD 695F A713 8F24 2AA1  5638 5849 7EE5 1D5D 74A5

Download attachment "signature.asc" of type "application/pgp-signature" (952 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ