TorrentFlux “startpop.php” “torrent” Script Insertion

13 Oct, 2006  Exploits

TITLE:
TorrentFlux “startpop.php” “torrent” Script Insertion
CRITICAL:
Not Critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
TorrentFlux 2.x

DESCRIPTION:
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.

Input passed to the “torrent” field of a GET Request (/startpop.php?torrent=%22%3E%3Cscript%3Ealert(document.cookies);%3C/script%3E.torrent) is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an user’s browser session in context of an affected site if a user clicks on a malicious link.

The vulnerability has been confirmed in version 2.1. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

/startpop.php

Line 36: Change to: $displayName = htmlentities($displayName, ENT_QUOTES);

(Line 36 is normally empty)

Grant only trusted users access to the application

6 Comments so far »

  1.  

    jack style said,

    October 14, 2006 @ 2:48 am

    Thank you a lot for describing this possible security hole.
    I will test it today on my TorrentFlux (2.1).

    greetings ;o)

  2.  

    Chrome said,

    October 17, 2006 @ 1:00 am

    First of all… a person would need to have a TorrentFlux user account to take advantage of this, second, the fix is not as listed above. This would properly fix it:

    $torrent = htmlentities(getRequestVar(’torrent’), ENT_QUOTES);

  3.  

    Chrome said,

    October 17, 2006 @ 1:24 am

    Here is a fix for ALL get/request line for TorrentFlux — just edit the settingsfunctions.php line 33:

    return htmlentities(trim($_REQUEST[$varName]), ENT_QUOTES);

    This method is used to grab variables from the request / get line for the system. By changing line 33 of settingsfunctions.php this will fix most if not all of the cross scripting.

  4.  

    r0ut3r said,

    October 17, 2006 @ 9:47 am

    hahah. The most obvious xss vulnerability in torrentflux which hasn’t been discovered is where you can send personal messages ;)

    But it’s less critical.

    poc: alert(document.cookie) hah

  5.  

    Steven Roddis said,

    October 17, 2006 @ 4:11 pm

    “This method is used to grab variables from the request / get line for the system. By changing line 33 of settingsfunctions.php this will fix most if not all of the cross scripting.”

    Yep.. but echoing raw GET query data is not the only thing that you can do with it.

  6.  

    Alan said,

    January 13, 2007 @ 3:08 pm

    Hi! Very nice site! Thanks you very much!

Comment RSS

Leave a Comment

Name:

E-mail:

Website:

Comment:

Recent Comments

  • Josir Gomes: Hi Steve, the meta-package ubuntu-desktop is bloated with huge softwares like OpenOffice, Evolution,...
  • hannah: your that good! ha ha, but seriously.
  • Wiras Adi: Yeah, mathematic operation in text-based CAPTCHA is very easy to break. And I don't think that many sites...
  • Gary: Phew! You saved me lots of hassle :-) The only problem I had was that $_SERVER[’HTTP_AUTHORIZATION ’]...
  • Stephen: To touch on the issue Vinay raised, I had to use the -wholename option on the find command to delete files...

Else wheres