oss-sec mailing list archives
Re: CVE requests for 2 separate vulns in torrentflux 2.4.5-1 (debian stable)
From: cve-assign () mitre org
Date: Tue, 2 Sep 2014 19:13:18 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759574 The XSS that can be triggered by an unauthenticated attacker. A malicious torrent file such as the POC attached can be crafted and shared by an attacker. Upon starting the download from Torrentflux, some of the file contents are pasted without output encoding into a script section, triggering the XSS. An alternate vector (authenticated) is for an attacker to upload the torrent file to his own account and subsequently share a link the torrent's details
Use CVE-2014-6027 (i.e., for both vectors).
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759573 An authenticated attacker on the webapp can access all users' cookies stored in the database by iterating the cid (cookie id) in the following fashion: /torrentflux/profile.php?op=editCookies&cid=<ITERATOR> The function getCookie is implemented at torrentflux/www/functions.php L395
Use CVE-2014-6028 for this report about the ability to read cookies.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759573#16 From: Salvatore Bonaccorso <carnil () debian org> FTR in the bug: Given that it is also possible to delete or modify cookies.
Use CVE-2014-6029 for this report about the ability to delete or modify cookies. (The nature of the attack is not identical and it was reported by a different person.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUBk5PAAoJEKllVAevmvmsgtYH/1/JqyAnliUKei7JOKrFelFq /gkmffgsWLn3YWAbnm0mwqwZO2QWTjIXpqcqf2M6UyGqYTOwqaNwBVxWv+f83exz tsg6A4dCHGVJQCzaO4SbbzL2i+F6dmo2Tn9GS3u1x7W3BirgDSp+v9z0dswN67aU Ra5HyJCr2tQUw6PXr63b1Brfgcw20kBtfRb0FI/S4+89R2tbMr+nhrs5W9XVugbp jb6qCsAi2HHSIpZFucNNSX2KaLiDQyZ9qXKZVMqlRL66osE5nw7LyDmhlU6aO0y9 QsRBU7jj0k1xmlrpXhZWVIX5L4Yp9hkiQPYI3VKd/RAT0JWQd/FVa9Hlg1dj104= =SLx9 -----END PGP SIGNATURE-----
Current thread:
- RE: CVE requests for 2 separate vulns in torrentflux 2.4.5-1 (debian stable) Nicolas Guigo (Aug 29)
- Re: CVE requests for 2 separate vulns in torrentflux 2.4.5-1 (debian stable) cve-assign (Sep 02)