ID SECURITYVULNS:DOC:7272 Type securityvulns Reporter Securityvulns Modified 2004-12-02T00:00:00
Description
Intro
Blogtorrent is a collection of PHP scripts which are designed to
make it simple to host files for transfer via bittorrent.
Whilst it is not normal to report security problems in "preview"
releases of software this software was covered prominently upon
Slashdot and could be widely used, so I feel it's a legitimate
target.
Problem
One of the scripts in the distribution doesn't correctly
sanitize it's inputs, before using one of them to read
and serve a file from the local system.
This can be exploited to remotely download any file upon the
webserver which is readable by the UID which the webserver is
running as.
The code in question is contained in btdownload.php and looks like
this:
(The patch was committed less than a day after the hole was privately
reported to them, making them a responsive bunch).
Steve
The Debian Security Audit Project.
http://www.debian.org/security/audit
Setuid Software Lists
http://www.setuid.org/
{"id": "SECURITYVULNS:DOC:7272", "bulletinFamily": "software", "title": "Blog Torrent preview 0.8 - arbitary file download", "description": "\r\nIntro\r\n-----\r\n\r\n Blogtorrent is a collection of PHP scripts which are designed to \r\n make it simple to host files for transfer via bittorrent.\r\n\r\n Whilst it is not normal to report security problems in "preview"\r\n releases of software this software was covered prominently upon \r\n Slashdot and could be widely used, so I feel it's a legitimate\r\n target.\r\n\r\n\r\n\r\nProblem\r\n-------\r\n\r\n One of the scripts in the distribution doesn't correctly\r\n sanitize it's inputs, before using one of them to read \r\n and serve a file from the local system.\r\n\r\n This can be exploited to remotely download any file upon the \r\n webserver which is readable by the UID which the webserver is\r\n running as.\r\n\r\n The code in question is contained in btdownload.php and looks like\r\n this:\r\n\r\n--\r\n echo file_get_contents('torrents/'.$_GET['file']);\r\n--\r\n\r\n\r\n\r\nExample\r\n-------\r\n\r\n The following URL can be used to download a file:\r\n\r\n\r\n htp://example.org/battletorrent/btdownload.php?type=torrent&file=../../etc/passwd\r\n\r\n (Adjust the ".."'s and the filename to suit your taste).\r\n\r\n\r\nFix\r\n---\r\n\r\n Whilst no new release is planned to address this hole the\r\n authors did commit a simple fix to their CVS repository.\r\n\r\n This can be obtained from here:\r\n\r\n http://cvs.sourceforge.net/viewcvs.py/battletorrent/btorrent_server/btdownload.php?r1=1.6&r2=1.7\r\n\r\n (The patch was committed less than a day after the hole was privately\r\n reported to them, making them a responsive bunch).\r\n\r\nSteve\r\n--\r\n# The Debian Security Audit Project.\r\nhttp://www.debian.org/security/audit\r\n\r\n# Setuid Software Lists\r\nhttp://www.setuid.org/", "published": "2004-12-02T00:00:00", "modified": "2004-12-02T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7272", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:11", "edition": 1, "viewCount": 11, "enchantments": {"score": {"value": 2.8, "vector": "NONE", "modified": "2018-08-31T11:10:11", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1318.NASL", "EULEROS_SA-2020-1323.NASL", "FREEBSD_PKG_090763F6703011EA93DD080027846A02.NASL", "EULEROS_SA-2020-1314.NASL", "DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL", "EULEROS_SA-2020-1350.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201314", "OPENVAS:1361412562311220201350", "OPENVAS:1361412562311220201323", "OPENVAS:1361412562311220201318", "OPENVAS:1361412562310892164"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "zdt", "idList": ["1337DAY-ID-34159", "1337DAY-ID-34153", "1337DAY-ID-34157", "1337DAY-ID-34144", "1337DAY-ID-34134"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10149"]}], "modified": "2018-08-31T11:10:11", "rev": 2}, "vulnersScore": 2.8}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **aimi[.]edu.pk** in [RST Threat Feed](https://rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 202[.]70.146.70\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:4D17ED3D-7272-34D7-84AE-41F8BB79178A", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: aimi.edu.pk", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-18T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **miseajourorange2018[.]weebly.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **24**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-18T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 199[.]34.228.53,199.34.228.54 and CNAME records: pages-wildcard.weebly.com.\nWhois:\n Created: 1970-01-01 00:00:00, \n Registrar: Safenames Ltd, \n Registrant: Not Available From Registry.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:3C74CA11-7272-3301-95C2-2F9815957BCE", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: miseajourorange2018.weebly.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **portalonlineblack[.]net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:CF406D0E-7272-3170-B716-32F204586DC2", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: portalonlineblack.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **tc-ziraaatbankasi[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:109242DE-7272-3694-BDB1-11BF7EF159A0", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: tc-ziraaatbankasi.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **setlastbestfileclicks[.]icu** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:B0B517B0-7272-3F10-A123-664FDAEC4192", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: setlastbestfileclicks.icu", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-18T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **169[.]239.129.115** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-01-18T03:00:00.\n IOC tags: **malware**.\nASN 61138: (First IP 169.239.128.0, Last IP 169.239.131.255).\nASN Name \"ZAPPIEHOSTAS\" and Organisation \"Zappie Host\".\nASN hosts 879 domains.\nGEO IP information: City \"Cape Town\", Country \"South Africa\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:88237E28-7272-3BC3-B453-03F77CDC41B2", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: 169.239.129.115", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **qpwcestfecarmagnole[.]download** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:5781EB88-7272-389A-82F4-E2EC03A18D21", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: qpwcestfecarmagnole.download", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **192[.]3.2.77** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **17**.\n First seen: 2020-12-06T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nASN 36352: (First IP 192.3.0.0, Last IP 192.3.64.255).\nASN Name \"ASCOLOCROSSING\" and Organisation \"ColoCrossing\".\nASN hosts 231013 domains.\nGEO IP information: City \"San Jose\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-06T00:00:00", "id": "RST:D38463EA-7272-3A40-9B62-F8E47061247C", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: 192.3.2.77", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **185[.]62.188.4** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-03-18T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nASN 47674: (First IP 185.62.188.0, Last IP 185.62.190.255).\nASN Name \"SAATCHIAS\" and Organisation \"\".\nASN hosts 5734 domains.\nGEO IP information: City \"\", Country \"Netherlands\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-03-18T00:00:00", "id": "RST:94E90C3D-7272-32B0-A80B-A3C1C71AFA96", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: 185.62.188.4", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-18T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **ibjapiim[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **24**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-18T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 144[.]217.252.192\nWhois:\n Created: 2015-03-11 21:02:55, \n Registrar: unknown, \n Registrant: Tucows Domains Inc.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:60EA540E-7272-39B6-89C7-955C371BD2ED", "href": "", "published": "2021-01-19T00:00:00", "title": "RST Threat feed. IOC: ibjapiim.com", "type": "rst", "cvss": {}}]}
