Debian Bug report logs - #504178
KTorrent Web Interface Torrent Upload and PHP Code Injection

version graph

Package: ktorrent2.2; Maintainer for ktorrent2.2 is (unknown);

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Tue, 28 Oct 2008 10:12:04 UTC

Severity: important

Tags: security

Fixed in version ktorrent2.2/2.2.8.dfsg.1-1

Done: Modestas Vainius <modestas@vainius.eu>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#503817; Package ktorrent. (Tue, 28 Oct 2008 10:12:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>. (Tue, 28 Oct 2008 10:12:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: KTorrent Web Interface Torrent Upload and PHP Code Injection
Date: Tue, 28 Oct 2008 10:41:33 +0100
Package: ktorrent
Version: 3.1.1+dfsg.1-1
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- From Secunia:

Some vulnerabilities have been discovered in KTorrent, which can be
exploited by malicious users to compromise a vulnerable system and
malicious people to bypass certain security restrictions.

1) The web interface plugin does not properly restrict access to the
torrent upload functionality. This can be exploited to upload
arbitrary torrent files by sending specially crafted HTTP POST
request to the affected application.

2) The web interface plugin does not properly sanitise request
parameters before passing them to the PHP interpreter. This can be
exploited to inject and execute arbitrary PHP code by passing
specially crafted parameters to the PHP scripts of the web
interface.

Successful exploitation of the vulnerabilities requires that the web
interface plugin is enabled (not the default setting).

The vulnerabilities are confirmed in version 3.1.3. Prior versions
may also be affected.

SOLUTION:
Update to version 3.1.4.

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://ktorrent.org/?q=node/23



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkG3kkACgkQNxpp46476apjzwCcCVWwk16L3A1BJYossCFexxC3
KiMAnRx7vWlkbYZ8IT2B6We7YgASOSQ1
=wju5
-----END PGP SIGNATURE-----




Bug marked as fixed in version 3.1.4+dfsg.1-1. Request was from Giuseppe Iuculano <giuseppe@iuculano.it> to control@bugs.debian.org. (Tue, 28 Oct 2008 10:30:09 GMT) Full text and rfc822 format available.

Bug 503817 cloned as bug 504178. Request was from Modestas Vainius <modestas@vainius.eu> to control@bugs.debian.org. (Sat, 01 Nov 2008 12:48:01 GMT) Full text and rfc822 format available.

Bug reassigned from package `ktorrent' to `ktorrent2.2'. Request was from Modestas Vainius <modestas@vainius.eu> to control@bugs.debian.org. (Sat, 01 Nov 2008 12:48:04 GMT) Full text and rfc822 format available.

Reply sent to Modestas Vainius <modestas@vainius.eu>:
You have taken responsibility. (Sun, 02 Nov 2008 11:57:35 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sun, 02 Nov 2008 11:57:36 GMT) Full text and rfc822 format available.

Message #16 received at 504178-close@bugs.debian.org (full text, mbox):

From: Modestas Vainius <modestas@vainius.eu>
To: 504178-close@bugs.debian.org
Subject: Bug#504178: fixed in ktorrent2.2 2.2.8.dfsg.1-1
Date: Sun, 02 Nov 2008 11:47:04 +0000
Source: ktorrent2.2
Source-Version: 2.2.8.dfsg.1-1

We believe that the bug you reported is fixed in the latest version of
ktorrent2.2, which is due to be installed in the Debian FTP archive:

ktorrent2.2-dbg_2.2.8.dfsg.1-1_amd64.deb
  to pool/main/k/ktorrent2.2/ktorrent2.2-dbg_2.2.8.dfsg.1-1_amd64.deb
ktorrent2.2_2.2.8.dfsg.1-1.diff.gz
  to pool/main/k/ktorrent2.2/ktorrent2.2_2.2.8.dfsg.1-1.diff.gz
ktorrent2.2_2.2.8.dfsg.1-1.dsc
  to pool/main/k/ktorrent2.2/ktorrent2.2_2.2.8.dfsg.1-1.dsc
ktorrent2.2_2.2.8.dfsg.1-1_amd64.deb
  to pool/main/k/ktorrent2.2/ktorrent2.2_2.2.8.dfsg.1-1_amd64.deb
ktorrent2.2_2.2.8.dfsg.1.orig.tar.gz
  to pool/main/k/ktorrent2.2/ktorrent2.2_2.2.8.dfsg.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 504178@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Modestas Vainius <modestas@vainius.eu> (supplier of updated ktorrent2.2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 02 Nov 2008 12:59:04 +0200
Source: ktorrent2.2
Binary: ktorrent2.2 ktorrent2.2-dbg
Architecture: source amd64
Version: 2.2.8.dfsg.1-1
Distribution: unstable
Urgency: low
Maintainer: Modestas Vainius <modestas@vainius.eu>
Changed-By: Modestas Vainius <modestas@vainius.eu>
Description: 
 ktorrent2.2 - KTorrent v2.2.x - BitTorrent client for KDE3
 ktorrent2.2-dbg - KTorrent v2.2.x debugging symbols
Closes: 504178
Changes: 
 ktorrent2.2 (2.2.8.dfsg.1-1) unstable; urgency=low
 .
   * New upstream release:
     - WebInterface security fixes only (Closes: #504178).
Checksums-Sha1: 
 ab63129be7b5aa41b43ebcd9ed6dd7d9e24573d6 1319 ktorrent2.2_2.2.8.dfsg.1-1.dsc
 b5ceeb7916c87e7047de4d6ae724decad5c63fb9 3269672 ktorrent2.2_2.2.8.dfsg.1.orig.tar.gz
 e3641f04d33d2918c82e830081520c4fc6ac7b6b 531934 ktorrent2.2_2.2.8.dfsg.1-1.diff.gz
 48cb40e6f58db8d12ecf0a237c23be259a7c5646 2820872 ktorrent2.2_2.2.8.dfsg.1-1_amd64.deb
 894002da4ce55bb0514c1a9d02287994e4bfd17d 4805390 ktorrent2.2-dbg_2.2.8.dfsg.1-1_amd64.deb
Checksums-Sha256: 
 cec0cd9e2c8a2985904e38c75e3cf91c9ef2db71e7f79db0e2ad27785bc943b9 1319 ktorrent2.2_2.2.8.dfsg.1-1.dsc
 33b7fcb50ba9f4d6ce2f21d1a2f75192332afd1bbc710a556005a30fae29a45e 3269672 ktorrent2.2_2.2.8.dfsg.1.orig.tar.gz
 d1d091da9931d26e4ddc70957cef7a76f7b3c397dbe6b9ff61ac11b8657504ec 531934 ktorrent2.2_2.2.8.dfsg.1-1.diff.gz
 94b178c3076fce9ea24d5f9cf21f157e96d3d2f3892b5de03f215ab92262e6f0 2820872 ktorrent2.2_2.2.8.dfsg.1-1_amd64.deb
 06f7ea0ab7ac4637c13956a9b4b2d9ffe13fa979f74a19f412cc2ba07854b222 4805390 ktorrent2.2-dbg_2.2.8.dfsg.1-1_amd64.deb
Files: 
 e056ad4dffdb5cb42c890ce961b6f18a 1319 kde optional ktorrent2.2_2.2.8.dfsg.1-1.dsc
 f0ecded7bd02a309c13a5046ef2cf11b 3269672 kde optional ktorrent2.2_2.2.8.dfsg.1.orig.tar.gz
 aeb2349e99005fa5b0db74d84ef96efb 531934 kde optional ktorrent2.2_2.2.8.dfsg.1-1.diff.gz
 cdbf2fa95e149f4c0efe5153d4e27e6b 2820872 kde optional ktorrent2.2_2.2.8.dfsg.1-1_amd64.deb
 1b13ebb081acdfd60fc6acb0f06e05c9 4805390 kde extra ktorrent2.2-dbg_2.2.8.dfsg.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkNjp8ACgkQHO9JRnPq4hTlFACePuKxfz3X8VdvIn6/dLAiGa+a
qccAoPqbfQo47fMD36QgJBLERHQo1Sa2
=LkIb
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 08 Apr 2009 07:29:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:13:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.