Hi Cameron, thanks for looking into this. Unfortunately I think you are only partially right. (On the other hand, I don't use torrentflux and cannot install it ATM due to libphp-adodb brokenness, so I could be wrong as well).
On Wednesday 22 November 2006 09:31, Cameron Dale wrote: > Unfortunately the report from secunia is poorly titled, and some of > it doesn't apply to the Debian package, so I'll include some more > info below for those interested. > > On 11/18/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote: > > 1) Input passed to the "kill" parameter in index.php is not > > properly sanitised before being used as the command line argument > > to the "kill" command. This can be exploited to inject arbitrary > > shell commands via the ";" character. > > This doesn't apply to the current version (2.1-5), as it has had > this input sanitized in fixing a previous 2.1 bug. As far as I can see, you only call htmlentities on the input. This is not enough if you use the input in a command line that is passed to a shell. For example the characters |;`$ have special meanings to the shell and are not changed by htmlentities. However, in the example above, the input is only passed to exec and this does not seem to use a shell but executes the command directly. So this doesn't seem to be exploitable here. On the other hand, there are various exec()s of commands that are obviously meant to be executed by a shell (with pipes or redirects). This doesn't really make sense to me (but I am no php expert). But I have found an instance where the input is passed to shell_exec(). From metaInfo.php: $result = shell_exec("cd " . $cfg["torrent_file_path"]."; " . $cfg["pythonCmd"] . " -OO " . $cfg["btshowmetainfo "]." \"".$torrent."\""); Here the input ($torrent) is wrapped in double quotes which is not enough since the shell will interpret `command` even inside double quotes. You should use escapeshellarg() on this. > None of these is very serious, as all require a registered user to > exploit the hack. While this is true, the average admin would not expect that any registered user can execute arbitrary commands or delete files. So this definitely should be fixed before etch release. Cheers, Stefan
pgpyN35a6ALjZ.pgp
Description: PGP signature