lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041202150641.GA1120@steve.org.uk>
Date: Thu, 2 Dec 2004 15:06:41 +0000
From: Steve Kemp <steve@...ve.org.uk>
To: bugtraq@...urityfocus.com
Subject: Blog Torrent preview 0.8 - arbitary file download



Intro
-----

  Blogtorrent is a collection of PHP scripts which are designed to 
 make it simple to host files for transfer via bittorrent.

  Whilst it is not normal to report security problems in "preview"
 releases of software this software was covered prominently upon 
 Slashdot and could be widely used, so I feel it's a legitimate
 target.



Problem
-------

  One of the scripts in the distribution doesn't correctly
 sanitize it's inputs, before using one of them to read 
 and serve a file from the local system.

  This can be exploited to remotely download any file upon the 
 webserver which is readable by the UID which the webserver is
 running as.

  The code in question is contained in btdownload.php and looks like
 this:

--
 echo file_get_contents('torrents/'.$_GET['file']);
--



Example
-------

  The following URL can be used to download a file:


   htp://example.org/battletorrent/btdownload.php?type=torrent&file=../../etc/passwd

  (Adjust the ".."'s and the filename to suit your taste).


Fix
---

  Whilst no new release is planned to address this hole the
 authors did commit a simple fix to their CVS repository.

  This can be obtained from here:

  http://cvs.sourceforge.net/viewcvs.py/battletorrent/btorrent_server/btdownload.php?r1=1.6&r2=1.7

  (The patch was committed less than a day after the hole was privately
 reported to them, making them a responsive bunch).

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit

# Setuid Software Lists
http://www.setuid.org/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ