[转载]Blog Torrent Arbitrary File Downloading

信息来源：www.securiteam.com

Blog Torrent Arbitrary File Downloading

Summary
Blogtorrent is "a collection of PHP scripts that are designed to make it simple to host files for transfer via bittorrent". One of the scripts in the Blogtorrent doesn't correctly sanitize it's inputs, before using one of them to read and serve a file from the local system.


Details
Vulnerable Systems:
* Blog Torrent preview version 0.8

The above mentioned vulnerability can be exploited to remotely download any file upon the web server that is readable by the UID that the web server is running as.

The code in question is contained in btdownload.php and looks like this:
echo file_get_contents('torrents/'.$_GET['file']);

Exploit:
The following URL can be used to download a file: htp://example/battletorrent/btdownload.php?type=torrent&file=../../etc/passwd (Adjust the ".."'s and the filename to suit your taste).

Fix:
While no new release is planned to address this hole the authors did commit a simple fix to their CVS repository.

This can be obtained from here: http://cvs.sourceforge.net/viewc ... p?r1=1.6&r2=1.7

(The patch was committed less than a day after the hole was privately reported to them, making them a responsive bunch).


Additional information
The information has been provided by Steve Kemp.