Bug#400582: arbitrary code execution in metaInfo.php in torrentflux

Mon, 04 Dec 2006 16:05:44 -0800 

Hi Cameron,

I have looked a bit more, but haven't found many issues. Let's hope 
that this means that there aren't many left ;-)

On Friday 01 December 2006 00:15, Cameron Dale wrote:
> I don't think this will work, because the local user would need to
> be the www-data user to create the '/tmp/`touch /tmp/hello`' under
> the $cfg["torrent_file_path"] directory for it to be found.
> However, it will be possible to exploit the fact that the "torrent"
> input is not checked for ..'s on input, and so the following will
> work (assuming the touch '/tmp/`touch /tmp/hello`' has already been
> done):
>
> http://localhost/torrentflux/details.php?torrent=../../../../tmp/`t
>ouch /tmp/hello`
>
> I think the solution is then to use the SecurityClean function on
> the "torrent" input variable in details.php to remove the ../
> ability, and that should take care of it.

showMetaInfo() is also called from startpop.php. You would have to do
SecurityClean(getRequestVar('torrent')) there, too.

On second thought, it would probably be possible to create your own 
custom torrent that contains filenames with backticks? Then one could 
download that and have all files in the correct places. This would be 
a remote command execution again. I guess the attached patch is a 
better solution.

In index.php and dir.php, urldecode() is called after the htmlentities 
escaping is done by getRequestVar(). This allows to bypass the 
escaping. In dir.php this could be used for a XSS. Replace $dir by 
htmlentities($dir) in the error message. Or maybe it would be a good 
idea to put the urldecode() into getRequestVar() and remove it from 
all other places.

Just a bug (not security related) in functions.php in file_size(): The 
exec() is broken. It uses shell features but exec() instead of 
shell_exec(). And it adds the filename as "'filename'", which doesn't 
work neither with exec() nor with shell_exec(). I have 
found "ls: '/var/cache/torrentflux/...': No such file or directory" 
in my apache error log. Anyway, I don't understand why ls is used 
there at all...


Cheers,
Stefan




--- /usr/share/torrentflux/www/metaInfo.php	2006-12-04 21:47:33.000000000 +0100
+++ metaInfo.php	2006-12-04 23:28:24.000000000 +0100
@@ -251,7 +251,7 @@
     }
     else
     {
-        $result = shell_exec("cd " . $cfg["torrent_file_path"]."; " . $cfg["pythonCmd"] . " -OO " . $cfg["btshowmetainfo"]." \"".$torrent."\"");
+        $result = shell_exec("cd " . $cfg["torrent_file_path"]."; " . $cfg["pythonCmd"] . " -OO " . $cfg["btshowmetainfo"]." ".escapeshellarg($torrent));
         echo "<pre>";
         echo htmlentities($result, ENT_QUOTES);
         echo "</pre>";

Attachment: pgpeDn0rVDHMP.pgp
Description: PGP signature

Reply via email to