[WebUI Vulnerability] Possible to add torrents without correct password

General support for problems installing or using Deluge
Feriman
New User
New User
Posts: 4
Joined: Mon Feb 05, 2018 9:50 am
OS or Distro: Raspbian

[WebUI Vulnerability] Possible to add torrents without correct password

Postby Feriman » Mon Feb 05, 2018 10:00 am

Hi Guys,

There is vulnerability in newest version of WebUI ( 1.3.15 ). In my opinion it is critical.

I found possibility to add torrents to remote client without know the correct password. There is how to repeat it:

Add this below plugin to Chrome ( I think it works with another plugins/browsers as well ).

Remote Torrent Adder - https://chrome.google.com/webstore/deta ... fdghcmenci

Configure the plugin with corrent datas except the password. ( I tried it without SSL )

Try to add any torrent by right click on torrent file everyweher on the web. It will be happening:

The successful adding popup showing up in the botton right panel.
The torrent adding to Deluge
The download starting without any error
/var/log/deluge/web.log creating these log lines:

[ERROR ] 10:41:59 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:46:27 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:47:05 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:52:05 auth:330 Login failed (ClientIP 192.168.1.1)


Please fix it!
Last edited by Feriman on Mon Feb 05, 2018 11:29 am, edited 1 time in total.

Cas
Top Bloke
Top Bloke
Posts: 3474
Joined: Mon Dec 07, 2009 6:04 am
OS or Distro: Ubuntu 16.04
Location: Scotland

Re: [WebUI Vulnerability] Possible to add torrents without correct password

Postby Cas » Mon Feb 05, 2018 11:18 am

Are you sure it is not using your browser session cookie

Feriman
New User
New User
Posts: 4
Joined: Mon Feb 05, 2018 9:50 am
OS or Distro: Raspbian

Re: [WebUI Vulnerability] Possible to add torrents without correct password

Postby Feriman » Mon Feb 05, 2018 11:27 am

I deleted cookies & reopened the browser, and then I can still reproduce this method.

Cas
Top Bloke
Top Bloke
Posts: 3474
Joined: Mon Dec 07, 2009 6:04 am
OS or Distro: Ubuntu 16.04
Location: Scotland

Re: [WebUI Vulnerability] Possible to add torrents without correct password

Postby Cas » Mon Feb 05, 2018 2:10 pm

I cannot replicate, without a password it fails. This is not something that can be circumvented, you have to authenticate with a password to get the session cookie. And only a valid session cookie will allow you to add a torrent.

Feriman
New User
New User
Posts: 4
Joined: Mon Feb 05, 2018 9:50 am
OS or Distro: Raspbian

Re: [WebUI Vulnerability] Possible to add torrents without correct password

Postby Feriman » Mon Feb 05, 2018 2:12 pm

Okay. Then if it's true, why generate log file with "falied login"?

Cas
Top Bloke
Top Bloke
Posts: 3474
Joined: Mon Dec 07, 2009 6:04 am
OS or Distro: Ubuntu 16.04
Location: Scotland

Re: [WebUI Vulnerability] Possible to add torrents without correct password

Postby Cas » Mon Feb 05, 2018 2:42 pm

Please enable debug logging for deluge-web and provide a full log


Return to “Support”

Who is online

Users browsing this forum: No registered users and 6 guests