[WebUI Vulnerability] Possible to add torrents without correct password
Posted: Mon Feb 05, 2018 10:00 am
Hi Guys,
There is vulnerability in newest version of WebUI ( 1.3.15 ). In my opinion it is critical.
I found possibility to add torrents to remote client without know the correct password. There is how to repeat it:
Add this below plugin to Chrome ( I think it works with another plugins/browsers as well ).
Remote Torrent Adder - https://chrome.google.com/webstore/deta ... fdghcmenci
Configure the plugin with corrent datas except the password. ( I tried it without SSL )
Try to add any torrent by right click on torrent file everyweher on the web. It will be happening:
The successful adding popup showing up in the botton right panel.
The torrent adding to Deluge
The download starting without any error
/var/log/deluge/web.log creating these log lines:
[ERROR ] 10:41:59 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:46:27 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:47:05 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:52:05 auth:330 Login failed (ClientIP 192.168.1.1)
Please fix it!
There is vulnerability in newest version of WebUI ( 1.3.15 ). In my opinion it is critical.
I found possibility to add torrents to remote client without know the correct password. There is how to repeat it:
Add this below plugin to Chrome ( I think it works with another plugins/browsers as well ).
Remote Torrent Adder - https://chrome.google.com/webstore/deta ... fdghcmenci
Configure the plugin with corrent datas except the password. ( I tried it without SSL )
Try to add any torrent by right click on torrent file everyweher on the web. It will be happening:
The successful adding popup showing up in the botton right panel.
The torrent adding to Deluge
The download starting without any error
/var/log/deluge/web.log creating these log lines:
[ERROR ] 10:41:59 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:46:27 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:47:05 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:52:05 auth:330 Login failed (ClientIP 192.168.1.1)
Please fix it!