Full Disclosure mailing list archives
Re: Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13
From: Thomas Deutschmann <whissi () gentoo org>
Date: Sun, 19 Mar 2017 03:48:48 +0100
On 2017-03-05 07:22, Kyle Neideck wrote:
Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13 Kyle Neideck, February 2017 Product ------- Deluge is a BitTorrent client available from http://deluge-torrent.org. Fix --- Fixed in the (public) source code, but not in binary releases yet. See http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9 and http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583 Install from source or use the web UI from an incognito/private window until new binaries are released. Summary ------- Deluge version 1.3.13 is vulnerable to cross-site request forgery in the Web UI plug-in resulting in remote code execution. Requests made to the /json endpoint are not checked for CSRF. See the "render" function of the "JSON" class in deluge/ui/web/json_api.py. The Web UI plug-in is installed, but not enabled, by default. If the user has enabled the Web UI plug-in and logged into it, a malicious web page can use forged requests to make Deluge download and install a Deluge plug-in provided by the attacker. The plug-in can then execute arbitrary code as the user running Deluge (usually the local user account).
I requested a CVE via MITRE web form and received the following ID:
[Suggested description] CSRF was discovered in the web UI in Deluge 1.3.13. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin.
Use CVE-2017-7178.
-- Regards, Thomas Deutschmann / Gentoo Security Team C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13 Kyle Neideck (Mar 05)
- Re: Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13 Thomas Deutschmann (Mar 20)