Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Blog Torrent Arbitrary File Downloading

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Blog Torrent Arbitrary File Downloading
Date: 16 Dec 2004 15:01:36 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Blog Torrent Arbitrary File Downloading
------------------------------------------------------------------------


SUMMARY

Blogtorrent is "a collection of PHP scripts that are designed to make it 
simple to host files for transfer via bittorrent". One of the scripts in 
the Blogtorrent doesn't correctly sanitize it's inputs, before using one 
of them to read and serve a file from the local system.

DETAILS

Vulnerable Systems:
 * Blog Torrent preview version 0.8

The above mentioned vulnerability can be exploited to remotely download 
any file upon the web server that is readable by the UID that the web 
server is running as.

The code in question is contained in btdownload.php and looks like this:
echo file_get_contents('torrents/'.$_GET['file']);

Exploit:
The following URL can be used to download a file: 
htp://example/battletorrent/btdownload.php?type=torrent&file=../../etc/passwd 
(Adjust the ".."'s and the filename to suit your taste).

Fix:
While no new release is planned to address this hole the authors did 
commit a simple fix to their CVS repository.

This can be obtained from here:  
<http://cvs.sourceforge.net/viewcvs.py/battletorrent/btorrent_server/btdownload.php?r1=1.6&r2=1.7>
 
http://cvs.sourceforge.net/viewcvs.py/battletorrent/btorrent_server/btdownload.php?r1=1.6&r2=1.7

(The patch was committed less than a day after the hole was privately 
reported to them, making them a responsive bunch).


ADDITIONAL INFORMATION

The information has been provided by  <mailto:steve@steve.org.uk> Steve 
Kemp.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Blog Torrent Arbitrary File Downloading, SecuriTeam <=
Previous by Date:  [UNIX] Rssh and Scponly Arbitrary Command Execution, SecuriTeam
Next by Date:  [NEWS] Content-Type Spoofing in Mozilla Firefox and Opera Allows Users to Bypass Security Restrictions, SecuriTeam
Previous by Thread:  [UNIX] Rssh and Scponly Arbitrary Command Execution, SecuriTeam
Next by Thread:  [NEWS] Content-Type Spoofing in Mozilla Firefox and Opera Allows Users to Bypass Security Restrictions, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]