Hi Guys,
There is vulnerability in newest version of WebUI ( 1.3.15 ). In my opinion it is critical.
I found possibility to add torrents to remote client without know the correct password. There is how to repeat it:
Add this below plugin to Chrome ( I think it works with another plugins/browsers as well ).
Remote Torrent Adder - https://chrome.google.com/webstore/deta ... fdghcmenci
Configure the plugin with corrent datas except the password. ( I tried it without SSL )
Try to add any torrent by right click on torrent file everyweher on the web. It will be happening:
The successful adding popup showing up in the botton right panel.
The torrent adding to Deluge
The download starting without any error
/var/log/deluge/web.log creating these log lines:
[ERROR ] 10:41:59 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:46:27 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:47:05 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:52:05 auth:330 Login failed (ClientIP 192.168.1.1)
Please fix it!
[WebUI Vulnerability] Possible to add torrents without correct password
[WebUI Vulnerability] Possible to add torrents without correct password
Last edited by Feriman on Mon Feb 05, 2018 11:29 am, edited 1 time in total.
Re: [WebUI Vulnerability] Possible to add torrents without correct password
Are you sure it is not using your browser session cookie
Re: [WebUI Vulnerability] Possible to add torrents without correct password
I deleted cookies & reopened the browser, and then I can still reproduce this method.
Re: [WebUI Vulnerability] Possible to add torrents without correct password
I cannot replicate, without a password it fails. This is not something that can be circumvented, you have to authenticate with a password to get the session cookie. And only a valid session cookie will allow you to add a torrent.
Re: [WebUI Vulnerability] Possible to add torrents without correct password
Okay. Then if it's true, why generate log file with "falied login"?
Re: [WebUI Vulnerability] Possible to add torrents without correct password
Please enable debug logging for deluge-web and provide a full log