Debian Bug report logs - #400582
arbitrary code execution in metaInfo.php in torrentflux

version graph

Package: torrentflux; Maintainer for torrentflux is (unknown);

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sat, 18 Nov 2006 09:48:26 UTC

Severity: grave

Tags: security

Found in versions 2.1-5, 2.1-6

Fixed in version torrentflux/2.1-7

Done: Cameron Dale <camrdale@gmail.com>

Bug is archived. No further changes may be made.

Forwarded to http://www.torrentflux.com/contact.php

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#399169; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: TorrentFlux Arbitrary Command Execution and Directory Traversal
Date: Sat, 18 Nov 2006 10:47:26 +0100
[Message part 1 (text/plain, inline)]
Package: torrentflux
Severity: grave
Tags: security

More security vulnerabilities has been found in torrentflux. From
http://secunia.com/advisories/22880/ :

1) Input passed to the "kill" parameter in index.php is not properly 
sanitised before being used as the command line argument to 
the "kill" command. This can be exploited to inject arbitrary shell 
commands via the ";" character.
 
 Successful exploitation requires valid user credentials.
 
 2) Input passed to the "delfile" or "alias_file" parameters in 
index.php is not properly sanitised before being used to delete, 
create or overwrite files. The "delfile" parameter can be exploited 
to delete arbitrary files. The "alias_file" parameter can be 
exploited to create or overwrite arbitrary files, but an attacker 
cannot control what data will be written to them.
 
 Successful exploitation requires valid user credentials.
 
 The vulnerabilities are confirmed in version 2.1. Other versions may 
also be affected.

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#399169; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #10 received at 399169@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>, 399169@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#399169: TorrentFlux Arbitrary Command Execution and Directory Traversal
Date: Wed, 22 Nov 2006 00:31:57 -0800
retitle 399169 torrentflux: create/delete/overwrite arbitrary files
tags 399169 + pending
thanks

Thanks for the report Stefan, your vigilance is much appreciated.

Unfortunately the report from secunia is poorly titled, and some of it
doesn't apply to the Debian package, so I'll include some more info
below for those interested.

On 11/18/06, Stefan Fritsch <sf@sfritsch.de> wrote:
> 1) Input passed to the "kill" parameter in index.php is not properly
> sanitised before being used as the command line argument to
> the "kill" command. This can be exploited to inject arbitrary shell
> commands via the ";" character.

This doesn't apply to the current version (2.1-5), as it has had this
input sanitized in fixing a previous 2.1 bug.

>  2) Input passed to the "delfile" or "alias_file" parameters in
> index.php is not properly sanitised before being used to delete,
> create or overwrite files. The "delfile" parameter can be exploited
> to delete arbitrary files. The "alias_file" parameter can be
> exploited to create or overwrite arbitrary files, but an attacker
> cannot control what data will be written to them.

This does apply to the current version, and will be fixed in the next
version (2.1-6).

>  Successful exploitation requires valid user credentials.

None of these is very serious, as all require a registered user to
exploit the hack.

Cameron



Changed Bug title. Request was from "Cameron Dale" <camrdale@gmail.com> to control@bugs.debian.org. (full text, mbox, link).


Tags added: pending Request was from "Cameron Dale" <camrdale@gmail.com> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#399169; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #19 received at 399169@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: "Cameron Dale" <camrdale@gmail.com>
Cc: 399169@bugs.debian.org
Subject: Re: Bug#399169: TorrentFlux Arbitrary Command Execution and Directory Traversal
Date: Wed, 22 Nov 2006 22:53:44 +0100
[Message part 1 (text/plain, inline)]
Hi Cameron,

thanks for looking into this. Unfortunately I think you are only 
partially right. (On the other hand, I don't use torrentflux and 
cannot install it ATM due to libphp-adodb brokenness, so I could be 
wrong as well).

On Wednesday 22 November 2006 09:31, Cameron Dale wrote:
> Unfortunately the report from secunia is poorly titled, and some of
> it doesn't apply to the Debian package, so I'll include some more
> info below for those interested.
>
> On 11/18/06, Stefan Fritsch <sf@sfritsch.de> wrote:
> > 1) Input passed to the "kill" parameter in index.php is not
> > properly sanitised before being used as the command line argument
> > to the "kill" command. This can be exploited to inject arbitrary
> > shell commands via the ";" character.
>
> This doesn't apply to the current version (2.1-5), as it has had
> this input sanitized in fixing a previous 2.1 bug.

As far as I can see, you only call htmlentities on the input. This is 
not enough if you use the input in a command line that is passed to a 
shell. For example the characters |;`$ have special meanings to the 
shell and are not changed by htmlentities.

However, in the example above, the input is only passed to exec and 
this does not seem to use a shell but executes the command directly. 
So this doesn't seem to be exploitable here. On the other hand, there 
are various exec()s of commands that are obviously meant to be 
executed by a shell (with pipes or redirects). This doesn't really 
make sense to me (but I am no php expert).

But I have found an instance where the input is passed to 
shell_exec(). From metaInfo.php:

$result = shell_exec("cd " . $cfg["torrent_file_path"]."; " . 
$cfg["pythonCmd"] . " -OO " . $cfg["btshowmetainfo
"]." \"".$torrent."\"");

Here the input ($torrent) is wrapped in double quotes which is not 
enough since the shell will interpret `command` even inside double 
quotes. You should use escapeshellarg() on this.


> None of these is very serious, as all require a registered user to
> exploit the hack.

While this is true, the average admin would not expect that any 
registered user can execute arbitrary commands or delete files. So 
this definitely should be fixed before etch release.

Cheers,
Stefan
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#399169; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #24 received at 399169@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>
Cc: 399169@bugs.debian.org
Subject: Re: Bug#399169: TorrentFlux Arbitrary Command Execution and Directory Traversal
Date: Wed, 22 Nov 2006 16:26:43 -0800
On 11/22/06, Stefan Fritsch <sf@sfritsch.de> wrote:
> thanks for looking into this. Unfortunately I think you are only
> partially right. (On the other hand, I don't use torrentflux and
> cannot install it ATM due to libphp-adodb brokenness, so I could be
> wrong as well).

A new libphp-adodb is in the works. Should be available soon.

> On Wednesday 22 November 2006 09:31, Cameron Dale wrote:
> > On 11/18/06, Stefan Fritsch <sf@sfritsch.de> wrote:
> > > 1) Input passed to the "kill" parameter in index.php is not
> > > properly sanitised before being used as the command line argument
> > > to the "kill" command. This can be exploited to inject arbitrary
> > > shell commands via the ";" character.
> >
> > This doesn't apply to the current version (2.1-5), as it has had
> > this input sanitized in fixing a previous 2.1 bug.
>
> As far as I can see, you only call htmlentities on the input. This is
> not enough if you use the input in a command line that is passed to a
> shell. For example the characters |;`$ have special meanings to the
> shell and are not changed by htmlentities.

In fact, in the case we were discussing before (the kill parameter),
the new version will also only execute the kill command if $kill is a
numeric variable. So, if it wasn't fixed before then it will be now.

> However, in the example above, the input is only passed to exec and
> this does not seem to use a shell but executes the command directly.
> So this doesn't seem to be exploitable here. On the other hand, there
> are various exec()s of commands that are obviously meant to be
> executed by a shell (with pipes or redirects). This doesn't really
> make sense to me (but I am no php expert).
>
> But I have found an instance where the input is passed to
> shell_exec(). From metaInfo.php:
>
> $result = shell_exec("cd " . $cfg["torrent_file_path"]."; " .
> $cfg["pythonCmd"] . " -OO " . $cfg["btshowmetainfo
> "]." \"".$torrent."\"");
>
> Here the input ($torrent) is wrapped in double quotes which is not
> enough since the shell will interpret `command` even inside double
> quotes. You should use escapeshellarg() on this.

Although what you are saying makes sense to me, I cannot use it to
cause a command to be executed. I have tried many combinations of
inputs to the $torrent variable (including using `command`), and none
of them has been successful. I can't say why it seems to catch these,
but it seems to, so I will leave it at that. If you (or anyone else)
can create a case where this is a security issue, please submit it as
a new bug.

> > None of these is very serious, as all require a registered user to
> > exploit the hack.
>
> While this is true, the average admin would not expect that any
> registered user can execute arbitrary commands or delete files. So
> this definitely should be fixed before etch release.

Definitely, I was just trying to calm people's fears about this being
a globally accessible hack. It will of course be treated seriously,
and fixed as soon as possible.

Cameron



Reply sent to Cameron Dale <camrdale@gmail.com>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. (full text, mbox, link).


Message #29 received at 399169-close@bugs.debian.org (full text, mbox, reply):

From: Cameron Dale <camrdale@gmail.com>
To: 399169-close@bugs.debian.org
Subject: Bug#399169: fixed in torrentflux 2.1-6
Date: Sun, 26 Nov 2006 20:32:07 +0000
Source: torrentflux
Source-Version: 2.1-6

We believe that the bug you reported is fixed in the latest version of
torrentflux, which is due to be installed in the Debian FTP archive:

torrentflux_2.1-6.diff.gz
  to pool/main/t/torrentflux/torrentflux_2.1-6.diff.gz
torrentflux_2.1-6.dsc
  to pool/main/t/torrentflux/torrentflux_2.1-6.dsc
torrentflux_2.1-6_all.deb
  to pool/main/t/torrentflux/torrentflux_2.1-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 399169@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cameron Dale <camrdale@gmail.com> (supplier of updated torrentflux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 21 Nov 2006 22:30:44 -0800
Source: torrentflux
Binary: torrentflux
Architecture: source all
Version: 2.1-6
Distribution: unstable
Urgency: high
Maintainer: Cameron Dale <camrdale@gmail.com>
Changed-By: Cameron Dale <camrdale@gmail.com>
Description: 
 torrentflux - web based, feature-rich BitTorrent download manager
Closes: 399169
Changes: 
 torrentflux (2.1-6) unstable; urgency=high
 .
   * Sanitize file inputs (Closes: #399169)
   * Update search engines to latest
Files: 
 3ad5d8e1c85ac10077edbea8184249f0 629 web optional torrentflux_2.1-6.dsc
 11756172905846d7247af82763a58cf4 36472 web optional torrentflux_2.1-6.diff.gz
 cded330eb39dbda35299cc77e50302d0 421870 web optional torrentflux_2.1-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFafTj9n4qXRzy1ioRAgJuAJ9mAhQaY+OUS9uH23Q28rLtgz9WOACeKcCI
PJpifAeAzVEs8k0pbUFyNMc=
=5902
-----END PGP SIGNATURE-----




Bug 399169 cloned as bug 400582. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (full text, mbox, link).


Bug reopened, originator not changed. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (full text, mbox, link).


Changed Bug title. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (full text, mbox, link).


Tags removed: pending Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (full text, mbox, link).


Bug marked as found in version 2.1-5 2.1-6. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #44 received at 400582@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: 400582@bugs.debian.org
Subject: arbitrary code execution in metaInfo.php in torrentflux
Date: Mon, 27 Nov 2006 14:18:39 +0100 (CET)
I was able to exploit the problem mentioned above to execute shell 
commands. $cfg["enable_file_priority"] must be false.

Try

http://xxx/torrentflux/details.php?torrent=`touch /tmp/hello`

Cheers,
Stefan




Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #49 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>, 400582@bugs.debian.org
Cc: control@bugs.debian.org, "Micah Anderson" <micah@debian.org>
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Mon, 27 Nov 2006 21:10:28 -0800
[Message part 1 (text/plain, inline)]
tags 400582 + pending
thanks

On 11/27/06, Stefan Fritsch <sf@sfritsch.de> wrote:
> I was able to exploit the problem mentioned above to execute shell
> commands. $cfg["enable_file_priority"] must be false.

Ahh, that's why I couldn't get it to work. Looking at it now it seems
obvious, but then hindsight always seems to work like that. Thanks for
finding it, Stefan.

> Try
>
> http://xxx/torrentflux/details.php?torrent=`touch /tmp/hello`

This did work for me too. I've gone through the security fixes
available in upstream's 2.2 beta, and found that I did not catch all
of them when I was backporting to 2.1. One of them does fix this
problem, so I've created a new patch with all the missing fixes in it.
I've attached the new patch file for your consideration, and I think
I'm going to hold off on the upload for a few days to make sure I
really did get them all this time, and talk to upstream about it.
Please let me know if you think this is not sufficient, or if I missed
something else.

In consideration of the calls to exec() and shell_exec() mentioned
previously, I went through the code to see if I could find any places
where this could be exploited. I found a couple of possible problems,
which are fixed in the included patch.

However, there are lots of occurences of these functions being called
where the input is one of the settings stored in the database
(unescaped), which I don't consider a security risk, as you have to be
an admin to change them, and if you are an admin then it's much easier
to just point the location of the bittornado files to whatever python
script you want executed. The other thing I considered is the
possibility of some kind of sql injection that could be used to alter
these database entries, but that would be a security problem that
would need to be fixed anyway, as the database has to be trusted. Am I
incorrect in thinking like this, and these are security risks?

By the way, if you want to try out the new package to make sure it
works, you can find it in my personal repository here:

deb http://www.cs.sfu.ca/~camerond/personal/debian/
http://www.cs.sfu.ca/~camerond/personal/debian/pool/main/t/torrentflux/

Cameron
[11_missed_security_fixes.dpatch (application/octet-stream, attachment)]

Tags added: pending Request was from "Cameron Dale" <camrdale@gmail.com> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #56 received at 400582@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: 400582@bugs.debian.org
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Wed, 29 Nov 2006 20:07:04 +0100
I didn't have time yet to look at it thoroughly (or test it), but 
AFAICS you now check the file for existance before passing it to the 
shell. This should convert the remote command execution vuln into a 
local priviledge escalation. A local user can do

touch '/tmp/`touch /tmp/hello`'

and pass the filename to torrentflux and so get the command executed 
as user www-data. This is definitely less severe than before but IMHO 
still a bug. It would also convert any vulnerability to create a file 
with arbitrary name into a code execution vulnerability.

Cheers,
Stefan



Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #61 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>, 400582@bugs.debian.org
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Thu, 30 Nov 2006 13:57:20 -0800
On 11/29/06, Stefan Fritsch <sf@sfritsch.de> wrote:
> I didn't have time yet to look at it thoroughly (or test it), but
> AFAICS you now check the file for existance before passing it to the
> shell. This should convert the remote command execution vuln into a
> local priviledge escalation. A local user can do
>
> touch '/tmp/`touch /tmp/hello`'

I think I understand how this is supposed to work, but I can't execute
this to create a file containing the ticks in it. Is this supposed to
work?

hostname:~$ touch '/tmp/`touch /tmp/hello`'
touch: cannot touch `/tmp/`touch /tmp/hello`': No such file or directory
hostname:~$ ls /tmp
flashgot.lfb3lmyf.default/  .ICE-unix/     ksocket-camrdale/  .X0-lock
gpg-ovJV8Y/                 kde-camrdale/  ssh-PRXIyZ3903/    .X11-unix/

I tried lots of variations on escaping the quotes, but nothing would
cause this to create a file with ticks in it. What am I doing wrong?

Cameron



Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #66 received at 400582@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: "Cameron Dale" <camrdale@gmail.com>
Cc: 400582@bugs.debian.org
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Thu, 30 Nov 2006 23:15:56 +0100
On Thursday 30 November 2006 22:57, Cameron Dale wrote:
> hostname:~$ touch '/tmp/`touch /tmp/hello`'
> touch: cannot touch `/tmp/`touch /tmp/hello`': No such file or
> directory

My fault. The slashes are still path separators and the 
directory '/tmp/`touch /tmp/' does not exist. So you would have to do 

mkdir -p '/tmp/`touch /tmp/'

first.

Cheers,
Stefan



Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #71 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>, 400582@bugs.debian.org
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Thu, 30 Nov 2006 15:15:11 -0800
[Message part 1 (text/plain, inline)]
On 11/29/06, Stefan Fritsch <sf@sfritsch.de> wrote:
> I didn't have time yet to look at it thoroughly (or test it), but
> AFAICS you now check the file for existance before passing it to the
> shell. This should convert the remote command execution vuln into a
> local priviledge escalation. A local user can do
>
> touch '/tmp/`touch /tmp/hello`'
>
> and pass the filename to torrentflux and so get the command executed
> as user www-data. This is definitely less severe than before but IMHO
> still a bug. It would also convert any vulnerability to create a file
> with arbitrary name into a code execution vulnerability.

I don't think this will work, because the local user would need to be
the www-data user to create the '/tmp/`touch /tmp/hello`' under the
$cfg["torrent_file_path"] directory for it to be found. However, it
will be possible to exploit the fact that the "torrent" input is not
checked for ..'s on input, and so the following will work (assuming
the touch '/tmp/`touch /tmp/hello`' has already been done):

http://localhost/torrentflux/details.php?torrent=../../../../tmp/`touch
/tmp/hello`

I think the solution is then to use the SecurityClean function on the
"torrent" input variable in details.php to remove the ../ ability, and
that should take care of it.

-$torrent = getRequestVar('torrent');
+$torrent = SecurityClean(getRequestVar('torrent'));

The new patch is attached, and I have updated the packages in my repository.

Cameron
[11_missed_security_fixes.dpatch (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #76 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>, 400582@bugs.debian.org
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Sat, 2 Dec 2006 13:35:33 -0800
Unless there are any more problems found with the fix I created, I'm
going to try and get this uploaded by Monday the 4th so I can start
working on the soon-to-be-released new upstream version.

Cameron



Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #81 received at 400582@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: "Cameron Dale" <camrdale@gmail.com>
Cc: 400582@bugs.debian.org
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Mon, 4 Dec 2006 23:34:33 +0100
[Message part 1 (text/plain, inline)]
Hi Cameron,

I have looked a bit more, but haven't found many issues. Let's hope 
that this means that there aren't many left ;-)

On Friday 01 December 2006 00:15, Cameron Dale wrote:
> I don't think this will work, because the local user would need to
> be the www-data user to create the '/tmp/`touch /tmp/hello`' under
> the $cfg["torrent_file_path"] directory for it to be found.
> However, it will be possible to exploit the fact that the "torrent"
> input is not checked for ..'s on input, and so the following will
> work (assuming the touch '/tmp/`touch /tmp/hello`' has already been
> done):
>
> http://localhost/torrentflux/details.php?torrent=../../../../tmp/`t
>ouch /tmp/hello`
>
> I think the solution is then to use the SecurityClean function on
> the "torrent" input variable in details.php to remove the ../
> ability, and that should take care of it.

showMetaInfo() is also called from startpop.php. You would have to do
SecurityClean(getRequestVar('torrent')) there, too.

On second thought, it would probably be possible to create your own 
custom torrent that contains filenames with backticks? Then one could 
download that and have all files in the correct places. This would be 
a remote command execution again. I guess the attached patch is a 
better solution.

In index.php and dir.php, urldecode() is called after the htmlentities 
escaping is done by getRequestVar(). This allows to bypass the 
escaping. In dir.php this could be used for a XSS. Replace $dir by 
htmlentities($dir) in the error message. Or maybe it would be a good 
idea to put the urldecode() into getRequestVar() and remove it from 
all other places.

Just a bug (not security related) in functions.php in file_size(): The 
exec() is broken. It uses shell features but exec() instead of 
shell_exec(). And it adds the filename as "'filename'", which doesn't 
work neither with exec() nor with shell_exec(). I have 
found "ls: '/var/cache/torrentflux/...': No such file or directory" 
in my apache error log. Anyway, I don't understand why ls is used 
there at all...


Cheers,
Stefan



[metaInfo.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #86 received at 400582@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: 400582@bugs.debian.org
Subject: present in 2.2 as well
Date: Mon, 4 Dec 2006 23:41:04 +0100
The metaInfo.php issue doesn't seem to be fixed in 2.2



Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #91 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>
Cc: 400582@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Wed, 6 Dec 2006 00:00:24 -0800
forwarded 400582 http://www.torrentflux.com/contact.php
thanks

Thanks for the additional info Stefan, I've forwarded this information
to upstream. Unfortunately I have no time right now, so it will be a
couple of days before I get to this. One question though (below).

On 12/4/06, Stefan Fritsch <sf@sfritsch.de> wrote:
> In index.php and dir.php, urldecode() is called after the htmlentities
> escaping is done by getRequestVar(). This allows to bypass the
> escaping. In dir.php this could be used for a XSS. Replace $dir by
> htmlentities($dir) in the error message. Or maybe it would be a good
> idea to put the urldecode() into getRequestVar() and remove it from
> all other places.

I don't think putting urldecode() in getRequestVar() before
htmlentities is called will work, as the directory name is needed
decoded at some points in the file (maybe decode it only when needed
and safe?). I'm starting to get over my head with some of this though,
so I've forwarded this upstream in the hopes of getting some feedback.

When you say the error message, do you mean this line:

   echo "<strong>".$dir."</strong> could not be found or is not valid.";

Is that the only place you've found so far that this is a problem? I
see the $torrent and $file_name variables in index.php might also be
problems, but I can't tell for sure.

Cameron



Noted your statement that Bug has been forwarded to http://www.torrentflux.com/contact.php. Request was from "Cameron Dale" <camrdale@gmail.com> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #98 received at 400582@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: "Cameron Dale" <camrdale@gmail.com>
Cc: 400582@bugs.debian.org
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Wed, 6 Dec 2006 09:49:01 +0100
On Wednesday 06 December 2006 09:00, Cameron Dale wrote:
> > In index.php and dir.php, urldecode() is called after the
> > htmlentities escaping is done by getRequestVar(). This allows to
> > bypass the escaping. In dir.php this could be used for a XSS.
> > Replace $dir by htmlentities($dir) in the error message. Or maybe
> > it would be a good idea to put the urldecode() into
> > getRequestVar() and remove it from all other places.
>
> I don't think putting urldecode() in getRequestVar() before
> htmlentities is called will work, as the directory name is needed
> decoded at some points in the file (maybe decode it only when
> needed and safe?).

I don't understand the problem. In principle, urldecoding the 
parameters should always be done before using them.

>
> When you say the error message, do you mean this line:
>
>     echo "<strong>".$dir."</strong> could not be found or is not
> valid.";

Yes.

> Is that the only place you've found so far that this is a problem?
> I see the $torrent and $file_name variables in index.php might also
> be problems, but I can't tell for sure.

I missed $file_name, it has the same issue. But I still don't see the 
contents of $torrent being sent to the user. Of course if it is used 
as a filename, the filename may later be sent to the user at some 
other place. So it is probably a good idea to fix it, too.

Cheers,
Stefan



Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to Micah Anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #103 received at 400582@bugs.debian.org (full text, mbox, reply):

From: Micah Anderson <micah@riseup.net>
To: 400582@bugs.debian.org, camrdale@gmail.com
Subject: CVEs assigned
Date: Wed, 06 Dec 2006 16:57:46 -0700
[Message part 1 (text/plain, inline)]
Hi Cameron and Stefan,

Stefan requested that I request CVE IDs for the torrentflux issues from
Mitre, which I have done, please see below for these. It would be good
to pass these upstream and include them in any changelogs that fix these
issues that haven't been uploaded already.

micah

> New torrentflux issue has come up, reference URL
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582
>
> Proposed text:
> A potential remote command execution has been found in torrentflux, a
> php-based torrent management software. Arbitrary code execution in
> metaInfo.php allows an authenticated user to execute remote shell
> commands on the server when $cfg["enable_file_priority"] is set to 'false'.

I've created 4 candidates - 3 for the Secunia advisory published in
November, and one for this particular issue.  See below.

======================================================
Name: CVE-2006-6328
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6328
Reference: MISC:http://www.milw0rm.com/exploits/2786
Reference: SECUNIA:22880
Reference: URL:http://secunia.com/advisories/22880
Reference:
CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582

Directory traversal vulnerability in index.php for TorrentFlux 2.2
allows remote attackers to create or overwrite arbitrary files via
sequences in the alias_file parameter.


======================================================
Name: CVE-2006-6329
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6329
Reference: MISC:http://www.milw0rm.com/exploits/2786
Reference: SECUNIA:22880
Reference: URL:http://secunia.com/advisories/22880
Reference:
CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582

index.php for TorrentFlux 2.2 allows remote attackers to delete files
by specifying the target filename in the delfile parameter.


======================================================
Name: CVE-2006-6330
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6330
Reference: MISC:http://www.milw0rm.com/exploits/2786
Reference: SECUNIA:22880
Reference: URL:http://secunia.com/advisories/22880
Reference:
CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582

index.php for TorrentFlux 2.2 allows remote registered users to
execute arbitrary commands via shell metacharacters in the kill
parameter.


======================================================
Name: CVE-2006-6331
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331
Reference:
CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582
Reference:
MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1

metaInfo.php in TorrentFlux 2.2, when $cfg["enable_file_priority"] is
false, allows remote attackers to execute arbitrary commands via shell
metacharacters (backticks) in the torrent parameter to details.php.



[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #108 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Micah Anderson" <micah@riseup.net>, "Stefan Fritsch" <sf@sfritsch.de>
Cc: 400582@bugs.debian.org
Subject: Re: CVEs assigned
Date: Wed, 6 Dec 2006 16:48:39 -0800
Hi Micah,

Thanks for doing this. Unfortunately, I think one of these reports is
a duplicate, and some are inaccurate as they don't apply to version
2.2. I don't know how these work, but if you can update them you may
want to make some changes. See my notes below.

On 12/6/06, Micah Anderson <micah@riseup.net> wrote:
> ======================================================
> Name: CVE-2006-6328
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6328
> Reference: MISC:http://www.milw0rm.com/exploits/2786
> Reference: SECUNIA:22880
> Reference: URL:http://secunia.com/advisories/22880
> Reference:
> CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582
>
> Directory traversal vulnerability in index.php for TorrentFlux 2.2
> allows remote attackers to create or overwrite arbitrary files via
> sequences in the alias_file parameter.

This already has an advisory, see

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5609

It also doesn't apply to Torrentflux 2.2, only 2.1 (the original
advisory from milw0rm was incorrect, but CVE-2006-5609 is correct in
indicating only 2.1 is affected). Also, the Debian bug for this one
was 395930.

> ======================================================
> Name: CVE-2006-6329
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6329
> Reference: MISC:http://www.milw0rm.com/exploits/2786
> Reference: SECUNIA:22880
> Reference: URL:http://secunia.com/advisories/22880
> Reference:
> CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582
>
> index.php for TorrentFlux 2.2 allows remote attackers to delete files
> by specifying the target filename in the delfile parameter.

Again, this is only present in version 2.1, not 2.2. The Debian bug
number for this one is 399169.

> ======================================================
> Name: CVE-2006-6330
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6330
> Reference: MISC:http://www.milw0rm.com/exploits/2786
> Reference: SECUNIA:22880
> Reference: URL:http://secunia.com/advisories/22880
> Reference:
> CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582
>
> index.php for TorrentFlux 2.2 allows remote registered users to
> execute arbitrary commands via shell metacharacters in the kill
> parameter.

Again, not present in 2.2, only in version 2.1. The Debian bug number
for this one is also 399169.

> ======================================================
> Name: CVE-2006-6331
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331
> Reference:
> CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582
> Reference:
> MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1
>
> metaInfo.php in TorrentFlux 2.2, when $cfg["enable_file_priority"] is
> false, allows remote attackers to execute arbitrary commands via shell
> metacharacters (backticks) in the torrent parameter to details.php.

This problem, as described, is not present in 2.2, only in 2.1. Also,
the dpatch attached is a a little misleading as it contains changes
that fix the 2 previous problems (6329 and 6330) as well as this one
(6331).

There is, however, a similar problem to this in 2.2 that Stefan
described as a "local priviledge escalation". It uses the torrent
parameter and a local user's ability to create a file containing
backticks, to then execute arbitrary commands as the webserver user
(www-data). I don't think it applies to remote users though, only
local. You may want to request another CVE for this one, as it is a
separate problem from 6331 and does affect version 2.2.

Cameron



Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #113 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>, 400582@bugs.debian.org
Subject: Re: Bug#400582: present in 2.2 as well
Date: Wed, 6 Dec 2006 16:54:09 -0800
On 12/4/06, Stefan Fritsch <sf@sfritsch.de> wrote:
> The metaInfo.php issue doesn't seem to be fixed in 2.2

To be clear, I would like to point out that the more serious remote
command execution using metaInfo.php IS fixed in 2.2.

However, the local privilege escalation is present in 2.2 by a local
user creating a file with backticks in it, then pointing the torrent
variable of details.php to it and executing the command as the web
server user.

Cameron



Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #118 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Micah Anderson" <micah@riseup.net>, "Stefan Fritsch" <sf@sfritsch.de>
Cc: 400582@bugs.debian.org
Subject: Re: Bug#400582: CVEs assigned
Date: Wed, 6 Dec 2006 17:42:14 -0800
On 12/6/06, Cameron Dale <camrdale@gmail.com> wrote:
> > ======================================================
> > Name: CVE-2006-6331
> > Status: Candidate
> > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331
> > Reference:
> > CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582
> > Reference:
> > MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1
> >
> > metaInfo.php in TorrentFlux 2.2, when $cfg["enable_file_priority"] is
> > false, allows remote attackers to execute arbitrary commands via shell
> > metacharacters (backticks) in the torrent parameter to details.php.
>
> This problem, as described, is not present in 2.2, only in 2.1. Also,
> the dpatch attached is a a little misleading as it contains changes
> that fix the 2 previous problems (6329 and 6330) as well as this one
> (6331).
>
> There is, however, a similar problem to this in 2.2 that Stefan
> described as a "local priviledge escalation". It uses the torrent
> parameter and a local user's ability to create a file containing
> backticks, to then execute arbitrary commands as the webserver user
> (www-data). I don't think it applies to remote users though, only
> local. You may want to request another CVE for this one, as it is a
> separate problem from 6331 and does affect version 2.2.

Actually, on further investigation, I was wrong about this one, as it
is a remote command execution bug in 2.2 as well, and I recommend you
report it as such. I had thought that TorrentFlux's cleaning of the
downloaded torrent files would make this local only, but I now see
that a torrent file that includes files that have backticks will work
(sorry Stefan, I misread your previous email about this). Here is how
to properly take advantage of this in Torrentflux 2.2 (or 2.1):

mkdir -p '`touch /tmp/'
echo "Test file" > '`touch /tmp/hello`.torrent'
btmakemetafile --target test.torrent http://localhost:6969 \`touch\ /

Now upload test.torrent to TorrentFlux and start it downloading (it
won't download anything, but that doesn't matter as the files are
created when the torrent starts).

Now go to (replace username with your TorrentFlux user name):

http://hostname/torrentflux/details.php?torrent=../username/`touch
/tmp/hello`.torrent

It should say only "btshowmetainfo 20030621 - decode BitTorrent
metainfo files" and the /tmp/hello file should be created as the web
server user (www-data).

Cameron



Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #123 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>, 400582@bugs.debian.org
Subject: Re: Bug#400582: present in 2.2 as well
Date: Wed, 6 Dec 2006 17:44:20 -0800
On 12/6/06, Cameron Dale <camrdale@gmail.com> wrote:
> On 12/4/06, Stefan Fritsch <sf@sfritsch.de> wrote:
> > The metaInfo.php issue doesn't seem to be fixed in 2.2
>
> To be clear, I would like to point out that the more serious remote
> command execution using metaInfo.php IS fixed in 2.2.

Sorry for the confusion and multiple messages, but as I mentioned in
my other email, this is exploitable in 2.2, though it is a little
harder than in 2.1. My mistake.

Cameron



Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #128 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>
Cc: 400582@bugs.debian.org
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Wed, 6 Dec 2006 20:08:29 -0800
On 12/4/06, Stefan Fritsch <sf@sfritsch.de> wrote:
> In index.php and dir.php, urldecode() is called after the htmlentities
> escaping is done by getRequestVar(). This allows to bypass the
> escaping. In dir.php this could be used for a XSS. Replace $dir by
> htmlentities($dir) in the error message. Or maybe it would be a good
> idea to put the urldecode() into getRequestVar() and remove it from
> all other places.

I've looked into this further, and I'm not convinced that this will
result in a vulnerability. It seems to me that htmlentities() uses a
different encoding format than urlencode() does, and so
urldecode(htmlentities($dir)) != $dir. I've tested this, and
urldecode() definitely doesn't decode the '&lt;' and '&gt;' that
htmlentities() creates. Now, you could try and submit a URL such as

http://hostname/torrentflux/dir.php?dir=%3Cscript%3Ealert('xss')%3C/script%3E

in the hopes that htmlentities() will not replace the %3C with &lt;
and then later urldecode() will replace it with '<', but this doesn't
seem to work as all the variables are urldecoded when they are read
(from my testing it seems that way, anyway). Therefore they are made
safe by htmlentities(). I'm not sure why this doesn't work, so if you
know, or have found a way to exploit this, please let me know.

Cameron



Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #133 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>
Cc: 400582@bugs.debian.org
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Sat, 9 Dec 2006 16:37:49 -0800
[Message part 1 (text/plain, inline)]
I've prepared an updated fix for this (and other) problems. I split
the previous patch into 2, and created 2 other new ones to fix other
problems. All 4 are attached, and my repository contains the updated
packages. Here's a description of the patches:

11_missed_security_fixes.dpatch:

This patch now contains only the security fixes in 2.2 that I missed
when I was previously adding fixes.

12_metaInfo_remote_command.dpatch:

This patch combines my previously suggested fix of using
SecurityClean() on $torrent, in both metaInfo.php and startpop.php,
and Stefan's suggested fix of using escapeshellarg($torrent) in
metaInfo.php. Only one is required, but I used both just to be safe.

13_possible_xss_vulnerability.dpatch:

This patch uses htmlentities() before printing any variables that have
been urldecoded after being read in (when htmlentities is initially
run). I'm still not sure this can be exploited, as I have not yet been
able to do it, but it may depend on the web server in use or it's
configuration, so I decided to fix it anyway to be safe. It's a pretty
easy fix anyway.

14_maketorrent_remote_command.dpatch:

Upstream told me about this one. In maketorrent.php there's another
place where an input variable is used unescaped in an exec. This patch
escapes the variable before executing it.

Let me know if I missed something, or what you think of the patches. I
think I managed to take care of every problem mentioned in this bug
report, but it is quite long so I could be mistaken.

Cameron
[11_missed_security_fixes.dpatch (application/octet-stream, attachment)]
[12_metaInfo_remote_command.dpatch (application/octet-stream, attachment)]
[13_possible_xss_vulnerability.dpatch (application/octet-stream, attachment)]
[14_maketorrent_remote_command.dpatch (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#400582; Package torrentflux. (full text, mbox, link).


Acknowledgement sent to "Cameron Dale" <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Cameron Dale <camrdale@gmail.com>. (full text, mbox, link).


Message #138 received at 400582@bugs.debian.org (full text, mbox, reply):

From: "Cameron Dale" <camrdale@gmail.com>
To: "Stefan Fritsch" <sf@sfritsch.de>
Cc: 400582@bugs.debian.org
Subject: Re: Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Date: Mon, 11 Dec 2006 21:19:49 -0800
FYI, I will probably try and upload this on Thursday (Dec. 14th), in
the hopes of eventually getting included back into Etch. Unless of
course there are any more problems that come up, or problems pointed
out with the fixes I have here.

Thanks,
Cameron



Reply sent to Cameron Dale <camrdale@gmail.com>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. (full text, mbox, link).


Message #143 received at 400582-close@bugs.debian.org (full text, mbox, reply):

From: Cameron Dale <camrdale@gmail.com>
To: 400582-close@bugs.debian.org
Subject: Bug#400582: fixed in torrentflux 2.1-7
Date: Mon, 18 Dec 2006 00:56:09 +0000
Source: torrentflux
Source-Version: 2.1-7

We believe that the bug you reported is fixed in the latest version of
torrentflux, which is due to be installed in the Debian FTP archive:

torrentflux_2.1-7.diff.gz
  to pool/main/t/torrentflux/torrentflux_2.1-7.diff.gz
torrentflux_2.1-7.dsc
  to pool/main/t/torrentflux/torrentflux_2.1-7.dsc
torrentflux_2.1-7_all.deb
  to pool/main/t/torrentflux/torrentflux_2.1-7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 400582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cameron Dale <camrdale@gmail.com> (supplier of updated torrentflux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 16 Dec 2006 22:30:44 -0800
Source: torrentflux
Binary: torrentflux
Architecture: source all
Version: 2.1-7
Distribution: unstable
Urgency: high
Maintainer: Cameron Dale <camrdale@gmail.com>
Changed-By: Cameron Dale <camrdale@gmail.com>
Description: 
 torrentflux - web based, feature-rich BitTorrent download manager
Closes: 400582
Changes: 
 torrentflux (2.1-7) unstable; urgency=high
 .
   * Add more security fixes (Closes: #400582)
     - some missed previously (11_missed_security_fixes.dpatch)
     - remote command execution in metaInfo.php, issue
       CVE-2006-6331 (12_metaInfo_remote_command.dpatch)
     - possible XSS vulnerability due to urldecode
       (13_possible_xss_vulnerability.dpatch)
     - remote command execution in maketorrent.php,
       (14_maketorrent_remote_command.dpatch)
     - more possible fixes just to be safe
       (15_additional_possible_fixes.dpatch)
Files: 
 c2007ff877e2e72df2bdd88ab714e3a1 629 web optional torrentflux_2.1-7.dsc
 7c7e9f51d756bc1109fa0b09a4c588a1 40257 web optional torrentflux_2.1-7.diff.gz
 81f96bd4ffb1d4a850b2c2fb943d66ae 426224 web optional torrentflux_2.1-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFheHN9n4qXRzy1ioRAkKLAJwNbg5zaSUV1BsMX1YZkqdIlTGNTACgkSYC
bV0eeXEaxbZrXrtnM8xOLRw=
=95pw
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 19:54:17 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 09:55:21 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.