Hi Cameron, I have looked a bit more, but haven't found many issues. Let's hope that this means that there aren't many left ;-)
On Friday 01 December 2006 00:15, Cameron Dale wrote: > I don't think this will work, because the local user would need to > be the www-data user to create the '/tmp/`touch /tmp/hello`' under > the $cfg["torrent_file_path"] directory for it to be found. > However, it will be possible to exploit the fact that the "torrent" > input is not checked for ..'s on input, and so the following will > work (assuming the touch '/tmp/`touch /tmp/hello`' has already been > done): > > http://localhost/torrentflux/details.php?torrent=../../../../tmp/`t >ouch /tmp/hello` > > I think the solution is then to use the SecurityClean function on > the "torrent" input variable in details.php to remove the ../ > ability, and that should take care of it. showMetaInfo() is also called from startpop.php. You would have to do SecurityClean(getRequestVar('torrent')) there, too. On second thought, it would probably be possible to create your own custom torrent that contains filenames with backticks? Then one could download that and have all files in the correct places. This would be a remote command execution again. I guess the attached patch is a better solution. In index.php and dir.php, urldecode() is called after the htmlentities escaping is done by getRequestVar(). This allows to bypass the escaping. In dir.php this could be used for a XSS. Replace $dir by htmlentities($dir) in the error message. Or maybe it would be a good idea to put the urldecode() into getRequestVar() and remove it from all other places. Just a bug (not security related) in functions.php in file_size(): The exec() is broken. It uses shell features but exec() instead of shell_exec(). And it adds the filename as "'filename'", which doesn't work neither with exec() nor with shell_exec(). I have found "ls: '/var/cache/torrentflux/...': No such file or directory" in my apache error log. Anyway, I don't understand why ls is used there at all... Cheers, Stefan
--- /usr/share/torrentflux/www/metaInfo.php 2006-12-04 21:47:33.000000000 +0100 +++ metaInfo.php 2006-12-04 23:28:24.000000000 +0100 @@ -251,7 +251,7 @@ } else { - $result = shell_exec("cd " . $cfg["torrent_file_path"]."; " . $cfg["pythonCmd"] . " -OO " . $cfg["btshowmetainfo"]." \"".$torrent."\""); + $result = shell_exec("cd " . $cfg["torrent_file_path"]."; " . $cfg["pythonCmd"] . " -OO " . $cfg["btshowmetainfo"]." ".escapeshellarg($torrent)); echo "<pre>"; echo htmlentities($result, ENT_QUOTES); echo "</pre>";
pgpeDn0rVDHMP.pgp
Description: PGP signature