On 11/29/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
I didn't have time yet to look at it thoroughly (or test it), but AFAICS you now check the file for existance before passing it to the shell. This should convert the remote command execution vuln into a local priviledge escalation. A local user can dotouch '/tmp/`touch /tmp/hello`' and pass the filename to torrentflux and so get the command executed as user www-data. This is definitely less severe than before but IMHO still a bug. It would also convert any vulnerability to create a file with arbitrary name into a code execution vulnerability.
I don't think this will work, because the local user would need to be the www-data user to create the '/tmp/`touch /tmp/hello`' under the $cfg["torrent_file_path"] directory for it to be found. However, it will be possible to exploit the fact that the "torrent" input is not checked for ..'s on input, and so the following will work (assuming the touch '/tmp/`touch /tmp/hello`' has already been done): http://localhost/torrentflux/details.php?torrent=../../../../tmp/`touch /tmp/hello` I think the solution is then to use the SecurityClean function on the "torrent" input variable in details.php to remove the ../ ability, and that should take care of it. -$torrent = getRequestVar('torrent'); +$torrent = SecurityClean(getRequestVar('torrent')); The new patch is attached, and I have updated the packages in my repository. Cameron
11_missed_security_fixes.dpatch
Description: Binary data
