Hi Micah, Thanks for doing this. Unfortunately, I think one of these reports is a duplicate, and some are inaccurate as they don't apply to version 2.2. I don't know how these work, but if you can update them you may want to make some changes. See my notes below.
On 12/6/06, Micah Anderson <[EMAIL PROTECTED]> wrote:
====================================================== Name: CVE-2006-6328 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6328 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Directory traversal vulnerability in index.php for TorrentFlux 2.2 allows remote attackers to create or overwrite arbitrary files via sequences in the alias_file parameter.
This already has an advisory, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5609 It also doesn't apply to Torrentflux 2.2, only 2.1 (the original advisory from milw0rm was incorrect, but CVE-2006-5609 is correct in indicating only 2.1 is affected). Also, the Debian bug for this one was 395930.
====================================================== Name: CVE-2006-6329 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6329 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 index.php for TorrentFlux 2.2 allows remote attackers to delete files by specifying the target filename in the delfile parameter.
Again, this is only present in version 2.1, not 2.2. The Debian bug number for this one is 399169.
====================================================== Name: CVE-2006-6330 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6330 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 index.php for TorrentFlux 2.2 allows remote registered users to execute arbitrary commands via shell metacharacters in the kill parameter.
Again, not present in 2.2, only in version 2.1. The Debian bug number for this one is also 399169.
====================================================== Name: CVE-2006-6331 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1 metaInfo.php in TorrentFlux 2.2, when $cfg["enable_file_priority"] is false, allows remote attackers to execute arbitrary commands via shell metacharacters (backticks) in the torrent parameter to details.php.
This problem, as described, is not present in 2.2, only in 2.1. Also, the dpatch attached is a a little misleading as it contains changes that fix the 2 previous problems (6329 and 6330) as well as this one (6331). There is, however, a similar problem to this in 2.2 that Stefan described as a "local priviledge escalation". It uses the torrent parameter and a local user's ability to create a file containing backticks, to then execute arbitrary commands as the webserver user (www-data). I don't think it applies to remote users though, only local. You may want to request another CVE for this one, as it is a separate problem from 6331 and does affect version 2.2. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
