Blog Torrent preview 0.8 - arbitary file download

2004-12-02T00:00:00
ID SECURITYVULNS:DOC:7272
Type securityvulns
Reporter Securityvulns
Modified 2004-12-02T00:00:00

Description

Intro

Blogtorrent is a collection of PHP scripts which are designed to make it simple to host files for transfer via bittorrent.

Whilst it is not normal to report security problems in "preview" releases of software this software was covered prominently upon Slashdot and could be widely used, so I feel it's a legitimate target.

Problem

One of the scripts in the distribution doesn't correctly sanitize it's inputs, before using one of them to read and serve a file from the local system.

This can be exploited to remotely download any file upon the webserver which is readable by the UID which the webserver is running as.

The code in question is contained in btdownload.php and looks like this:

-- echo file_get_contents('torrents/'.$_GET['file']); --

Example

The following URL can be used to download a file:

htp://example.org/battletorrent/btdownload.php?type=torrent&file=../../etc/passwd

(Adjust the ".."'s and the filename to suit your taste).

Fix

Whilst no new release is planned to address this hole the authors did commit a simple fix to their CVS repository.

This can be obtained from here:

http://cvs.sourceforge.net/viewcvs.py/battletorrent/btorrent_server/btdownload.php?r1=1.6&r2=1.7

(The patch was committed less than a day after the hole was privately reported to them, making them a responsive bunch).

Steve

The Debian Security Audit Project.

http://www.debian.org/security/audit

Setuid Software Lists

http://www.setuid.org/