FYI, I will probably try and upload this on Thursday (Dec. 14th), in
the hopes of eventually getting included back into Etch. Unless of
course there are any more problems that come up, or problems pointed
out with the fixes I have here.
Thanks,
Cameron
--
To UNSUBSCRIBE, email to [EMAIL PROTECT
I've prepared an updated fix for this (and other) problems. I split
the previous patch into 2, and created 2 other new ones to fix other
problems. All 4 are attached, and my repository contains the updated
packages. Here's a description of the patches:
11_missed_security_fixes.dpatch:
This patch
On 12/4/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
In index.php and dir.php, urldecode() is called after the htmlentities
escaping is done by getRequestVar(). This allows to bypass the
escaping. In dir.php this could be used for a XSS. Replace $dir by
htmlentities($dir) in the error message. O
On Wednesday 06 December 2006 09:00, Cameron Dale wrote:
> > In index.php and dir.php, urldecode() is called after the
> > htmlentities escaping is done by getRequestVar(). This allows to
> > bypass the escaping. In dir.php this could be used for a XSS.
> > Replace $dir by htmlentities($dir) in the
forwarded 400582 http://www.torrentflux.com/contact.php
thanks
Thanks for the additional info Stefan, I've forwarded this information
to upstream. Unfortunately I have no time right now, so it will be a
couple of days before I get to this. One question though (below).
On 12/4/06, Stefan Fritsch
Processing commands for [EMAIL PROTECTED]:
> forwarded 400582 http://www.torrentflux.com/contact.php
Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Noted your statement that Bug has been forwarded to
http://www.torrentflux.com/contact.php.
> thanks
Stopping processin
Hi Cameron,
I have looked a bit more, but haven't found many issues. Let's hope
that this means that there aren't many left ;-)
On Friday 01 December 2006 00:15, Cameron Dale wrote:
> I don't think this will work, because the local user would need to
> be the www-data user to create the '/tmp/`t
Unless there are any more problems found with the fix I created, I'm
going to try and get this uploaded by Monday the 4th so I can start
working on the soon-to-be-released new upstream version.
Cameron
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Conta
On 11/29/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
I didn't have time yet to look at it thoroughly (or test it), but
AFAICS you now check the file for existance before passing it to the
shell. This should convert the remote command execution vuln into a
local priviledge escalation. A local us
On Thursday 30 November 2006 22:57, Cameron Dale wrote:
> hostname:~$ touch '/tmp/`touch /tmp/hello`'
> touch: cannot touch `/tmp/`touch /tmp/hello`': No such file or
> directory
My fault. The slashes are still path separators and the
directory '/tmp/`touch /tmp/' does not exist. So you would hav
On 11/29/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
I didn't have time yet to look at it thoroughly (or test it), but
AFAICS you now check the file for existance before passing it to the
shell. This should convert the remote command execution vuln into a
local priviledge escalation. A local us
I didn't have time yet to look at it thoroughly (or test it), but
AFAICS you now check the file for existance before passing it to the
shell. This should convert the remote command execution vuln into a
local priviledge escalation. A local user can do
touch '/tmp/`touch /tmp/hello`'
and pass t
Processing commands for [EMAIL PROTECTED]:
> tags 400582 + pending
Bug#400582: arbitrary code execution in metaInfo.php in torrentflux
Tags were: security
Tags added: pending
> thanks
Stopping processing here.
Please contact me if you need assistance.
Debian bug tracking system adminis
tags 400582 + pending
thanks
On 11/27/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
I was able to exploit the problem mentioned above to execute shell
commands. $cfg["enable_file_priority"] must be false.
Ahh, that's why I couldn't get it to work. Looking at it now it seems
obvious, but then h
I was able to exploit the problem mentioned above to execute shell
commands. $cfg["enable_file_priority"] must be false.
Try
http://xxx/torrentflux/details.php?torrent=`touch /tmp/hello`
Cheers,
Stefan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? C
15 matches
Mail list logo
