tags 400582 + pending thanks On 11/27/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
I was able to exploit the problem mentioned above to execute shell commands. $cfg["enable_file_priority"] must be false.
Ahh, that's why I couldn't get it to work. Looking at it now it seems obvious, but then hindsight always seems to work like that. Thanks for finding it, Stefan.
Try http://xxx/torrentflux/details.php?torrent=`touch /tmp/hello`
This did work for me too. I've gone through the security fixes available in upstream's 2.2 beta, and found that I did not catch all of them when I was backporting to 2.1. One of them does fix this problem, so I've created a new patch with all the missing fixes in it. I've attached the new patch file for your consideration, and I think I'm going to hold off on the upload for a few days to make sure I really did get them all this time, and talk to upstream about it. Please let me know if you think this is not sufficient, or if I missed something else. In consideration of the calls to exec() and shell_exec() mentioned previously, I went through the code to see if I could find any places where this could be exploited. I found a couple of possible problems, which are fixed in the included patch. However, there are lots of occurences of these functions being called where the input is one of the settings stored in the database (unescaped), which I don't consider a security risk, as you have to be an admin to change them, and if you are an admin then it's much easier to just point the location of the bittornado files to whatever python script you want executed. The other thing I considered is the possibility of some kind of sql injection that could be used to alter these database entries, but that would be a security problem that would need to be fixed anyway, as the database has to be trusted. Am I incorrect in thinking like this, and these are security risks? By the way, if you want to try out the new package to make sure it works, you can find it in my personal repository here: deb http://www.cs.sfu.ca/~camerond/personal/debian/ http://www.cs.sfu.ca/~camerond/personal/debian/pool/main/t/torrentflux/ Cameron
11_missed_security_fixes.dpatch
Description: Binary data
