oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE requests for 2 separate vulns in torrentflux 2.4.5-1 (debian stable)

From: cve-assign () mitre org
Date: Tue, 2 Sep 2014 19:13:18 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759574

The XSS that can be triggered by an unauthenticated attacker. A malicious
torrent file such as the POC attached can be crafted and shared by an
attacker. Upon starting the download from Torrentflux, some of the file
contents are pasted without output encoding into a script section,
triggering the XSS. An alternate vector (authenticated) is for an attacker
to upload the torrent file to his own account and subsequently share a link
the torrent's details


Use CVE-2014-6027 (i.e., for both vectors).



https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759573

An authenticated attacker on the webapp can access all users' cookies stored
in the database by iterating the cid (cookie id) in the following fashion:

/torrentflux/profile.php?op=editCookies&cid=<ITERATOR>

The function getCookie is implemented at torrentflux/www/functions.php
L395


Use CVE-2014-6028 for this report about the ability to read cookies.



https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759573#16
From: Salvatore Bonaccorso <carnil () debian org>

FTR in the bug: Given that it is also possible to delete or modify
cookies.


Use CVE-2014-6029 for this report about the ability to delete or
modify cookies. (The nature of the attack is not identical and it was
reported by a different person.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUBk5PAAoJEKllVAevmvmsgtYH/1/JqyAnliUKei7JOKrFelFq
/gkmffgsWLn3YWAbnm0mwqwZO2QWTjIXpqcqf2M6UyGqYTOwqaNwBVxWv+f83exz
tsg6A4dCHGVJQCzaO4SbbzL2i+F6dmo2Tn9GS3u1x7W3BirgDSp+v9z0dswN67aU
Ra5HyJCr2tQUw6PXr63b1Brfgcw20kBtfRb0FI/S4+89R2tbMr+nhrs5W9XVugbp
jb6qCsAi2HHSIpZFucNNSX2KaLiDQyZ9qXKZVMqlRL66osE5nw7LyDmhlU6aO0y9
QsRBU7jj0k1xmlrpXhZWVIX5L4Yp9hkiQPYI3VKd/RAT0JWQd/FVa9Hlg1dj104=
=SLx9
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: