Bug 468983 (CVE-2008-5905, CVE-2008-5906)

Summary: CVE-2008-5905 CVE-2008-5906 ktorrent: multiple security issues in the web interface
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, rdieter, roland.wolters, tuxbrewr
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 07:33:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 469020    

Description Tomas Hoger 2008-10-29 11:23:45 UTC
KTorrent 3.1.4 was released fixing multiple security issues in the ktorrent's web interface.  Quoting Secunia:

  Some vulnerabilities have been discovered in KTorrent, which can be
  exploited by malicious users to compromise a vulnerable system and malicious
  people to bypass certain security restrictions.

  1) The web interface plugin does not properly restrict access to the torrent
  upload functionality. This can be exploited to upload arbitrary torrent
  files by sending specially crafted HTTP POST request to the affected
  application.

  2) The web interface plugin does not properly sanitise request parameters
  before passing them to the PHP interpreter. This can be exploited to inject
  and execute arbitrary PHP code by passing specially crafted parameters to
  the PHP scripts of the web interface.

  Successful exploitation of the vulnerabilities requires that the web
  interface plugin is enabled (not the default setting).

Gentoo bug report (see below) confirms that both issues also affect ktorrent 2.x and has patch backports to 2.2.7 attached.

References:
http://ktorrent.org/?q=node/23
http://secunia.com/advisories/32442/
http://bugs.gentoo.org/show_bug.cgi?id=244741

Comment 1 Tomas Hoger 2008-10-29 11:24:47 UTC
F9 already fixed via:
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9167

F8 can possibly be addressed using rbu's patch backports.

Comment 2 Rex Dieter 2008-10-29 14:09:17 UTC
pinged upstream about kde3's ktorrent-2.2.x (used in F-8):
http://ktorrent.org/forum/viewtopic.php?p=14574

In the meantime, will look over gentoo's patches.

Comment 3 Jan Lieskovsky 2009-01-16 12:47:42 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5905 to
the following vulnerability:

The web interface plugin in KTorrent before 3.1.4 allows remote
attackers to bypass intended access restrictions and upload arbitrary
torrent files, and trigger the start of downloads and seeding, via a
crafted HTTP POST request.

References: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5905
http://openwall.com/lists/oss-security/2009/01/08/1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504178
http://ktorrent.org/?q=node/23
https://bugs.gentoo.org/show_bug.cgi?id=244741
http://secunia.com/advisories/32442
http://secunia.com/advisories/32447

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5906 to
the following vulnerability:

Eval injection vulnerability in the web interface plugin in KTorrent
before 3.1.4 allows remote attackers to execute arbitrary PHP code via
unspecified parameters to this interface's PHP scripts.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5906
http://openwall.com/lists/oss-security/2009/01/08/1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504178
http://ktorrent.org/?q=node/23
https://bugs.gentoo.org/show_bug.cgi?id=244741
http://secunia.com/advisories/32442
http://secunia.com/advisories/32447

Comment 4 Roland Wolters 2009-01-19 21:23:00 UTC
All currently supported Fedora releases ship Ktorrent 3.1.5 - so I think we can close this bug. Other opinions?

Comment 5 Red Hat Product Security 2009-01-20 07:33:01 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9167

Comment 6 Fedora Update System 2009-12-07 06:29:18 UTC
ktorrent-2.2.8-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.