Deluge Forum

Hi Guys,

There is vulnerability in newest version of WebUI ( 1.3.15 ). In my opinion it is critical.

I found possibility to add torrents to remote client without know the correct password. There is how to repeat it:

Add this below plugin to Chrome ( I think it works with another plugins/browsers as well ).

Remote Torrent Adder - https://chrome.google.com/webstore/deta ... fdghcmenci

Configure the plugin with corrent datas except the password. ( I tried it without SSL )

Try to add any torrent by right click on torrent file everyweher on the web. It will be happening:

The successful adding popup showing up in the botton right panel.
The torrent adding to Deluge
The download starting without any error
/var/log/deluge/web.log creating these log lines:

[ERROR ] 10:41:59 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:46:27 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:47:05 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:52:05 auth:330 Login failed (ClientIP 192.168.1.1)


Please fix it!

Are you sure it is not using your browser session cookie

I deleted cookies & reopened the browser, and then I can still reproduce this method.

I cannot replicate, without a password it fails. This is not something that can be circumvented, you have to authenticate with a password to get the session cookie. And only a valid session cookie will allow you to add a torrent.

Okay. Then if it's true, why generate log file with "falied login"?

Please enable debug logging for deluge-web and provide a full log