[WebUI Vulnerability] Possible to add torrents without correct password

General support for problems installing or using Deluge
Post Reply
Feriman
New User
New User
Posts: 8
Joined: Mon Feb 05, 2018 9:50 am

[WebUI Vulnerability] Possible to add torrents without correct password

Post by Feriman »

Hi Guys,

There is vulnerability in newest version of WebUI ( 1.3.15 ). In my opinion it is critical.

I found possibility to add torrents to remote client without know the correct password. There is how to repeat it:

Add this below plugin to Chrome ( I think it works with another plugins/browsers as well ).

Remote Torrent Adder - https://chrome.google.com/webstore/deta ... fdghcmenci

Configure the plugin with corrent datas except the password. ( I tried it without SSL )

Try to add any torrent by right click on torrent file everyweher on the web. It will be happening:

The successful adding popup showing up in the botton right panel.
The torrent adding to Deluge
The download starting without any error
/var/log/deluge/web.log creating these log lines:

[ERROR ] 10:41:59 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:46:27 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:47:05 auth:330 Login failed (ClientIP 192.168.1.1)
[ERROR ] 10:52:05 auth:330 Login failed (ClientIP 192.168.1.1)


Please fix it!
Last edited by Feriman on Mon Feb 05, 2018 11:29 am, edited 1 time in total.
Cas
Top Bloke
Top Bloke
Posts: 3679
Joined: Mon Dec 07, 2009 6:04 am
Location: Scotland

Re: [WebUI Vulnerability] Possible to add torrents without correct password

Post by Cas »

Are you sure it is not using your browser session cookie
Feriman
New User
New User
Posts: 8
Joined: Mon Feb 05, 2018 9:50 am

Re: [WebUI Vulnerability] Possible to add torrents without correct password

Post by Feriman »

I deleted cookies & reopened the browser, and then I can still reproduce this method.
Cas
Top Bloke
Top Bloke
Posts: 3679
Joined: Mon Dec 07, 2009 6:04 am
Location: Scotland

Re: [WebUI Vulnerability] Possible to add torrents without correct password

Post by Cas »

I cannot replicate, without a password it fails. This is not something that can be circumvented, you have to authenticate with a password to get the session cookie. And only a valid session cookie will allow you to add a torrent.
Feriman
New User
New User
Posts: 8
Joined: Mon Feb 05, 2018 9:50 am

Re: [WebUI Vulnerability] Possible to add torrents without correct password

Post by Feriman »

Okay. Then if it's true, why generate log file with "falied login"?
Cas
Top Bloke
Top Bloke
Posts: 3679
Joined: Mon Dec 07, 2009 6:04 am
Location: Scotland

Re: [WebUI Vulnerability] Possible to add torrents without correct password

Post by Cas »

Please enable debug logging for deluge-web and provide a full log
Post Reply