Hi Cameron, thanks for looking into this. Unfortunately I think you are only partially right. (On the other hand, I don't use torrentflux and cannot install it ATM due to libphp-adodb brokenness, so I could be wrong as well).
On Wednesday 22 November 2006 09:31, Cameron Dale wrote:
> Unfortunately the report from secunia is poorly titled, and some of
> it doesn't apply to the Debian package, so I'll include some more
> info below for those interested.
>
> On 11/18/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
> > 1) Input passed to the "kill" parameter in index.php is not
> > properly sanitised before being used as the command line argument
> > to the "kill" command. This can be exploited to inject arbitrary
> > shell commands via the ";" character.
>
> This doesn't apply to the current version (2.1-5), as it has had
> this input sanitized in fixing a previous 2.1 bug.
As far as I can see, you only call htmlentities on the input. This is
not enough if you use the input in a command line that is passed to a
shell. For example the characters |;`$ have special meanings to the
shell and are not changed by htmlentities.
However, in the example above, the input is only passed to exec and
this does not seem to use a shell but executes the command directly.
So this doesn't seem to be exploitable here. On the other hand, there
are various exec()s of commands that are obviously meant to be
executed by a shell (with pipes or redirects). This doesn't really
make sense to me (but I am no php expert).
But I have found an instance where the input is passed to
shell_exec(). From metaInfo.php:
$result = shell_exec("cd " . $cfg["torrent_file_path"]."; " .
$cfg["pythonCmd"] . " -OO " . $cfg["btshowmetainfo
"]." \"".$torrent."\"");
Here the input ($torrent) is wrapped in double quotes which is not
enough since the shell will interpret `command` even inside double
quotes. You should use escapeshellarg() on this.
> None of these is very serious, as all require a registered user to
> exploit the hack.
While this is true, the average admin would not expect that any
registered user can execute arbitrary commands or delete files. So
this definitely should be fixed before etch release.
Cheers,
Stefan
pgpWNeof8a4sm.pgp
Description: PGP signature
