TorrentPier Deserialization of Untrusted Data vulnerability
Critical severity
GitHub Reviewed
Published
Jul 13, 2024
in
torrentpier/torrentpier
•
Updated Aug 4, 2024
Description
Published to the GitHub Advisory Database
Jul 15, 2024
Reviewed
Jul 15, 2024
Published by the National Vulnerability Database
Jul 15, 2024
Last updated
Aug 4, 2024
Summary
In
torrentpier/library/includes/functions.php
,get_tracks()
uses the unsafe native PHP serialization format to deserialize user-controlled cookies:https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60
PoC
One can use
phpggc
and the chainGuzzle/FW1
to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookiebb_t
will be deserialized when browsing toviewforum.php
.References