Blog Torrent btdownload.php Arbitrary File Retrieval

2004-12-02T00:00:00
ID OSVDB:12239
Type osvdb
Reporter Steve Kemp(steve@steve.org.uk)
Modified 2004-12-02T00:00:00

Description

Vulnerability Description

Blog Torrent contains a flaw that allows a remote attacker to access files outside of the web path. The issue is due to the btdownload.php script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the file variable.

Solution Description

Upgrade to version 0.81 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Blog Torrent contains a flaw that allows a remote attacker to access files outside of the web path. The issue is due to the btdownload.php script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the file variable.

Manual Testing Notes

htp://[victim]/battletorrent/btdownload.php?type=torrent&file=../../etc/passwd

References:

Vendor URL: http://www.blogtorrent.com/ Security Tracker: 1012390 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-12/0017.html ISS X-Force ID: 18356 CVE-2004-1212 Bugtraq ID: 11795