![]() ![]() Malicious script elements in the torrent name are easily visible via the desktop client, but malicious elements in the 'created by' or 'comments' elements are more difficult for end users to detect. This presents some barrier, but is easy bypassed by injecting event driven elements in the display. This means malicious scripts must be crafted to exploit the way in which content is dynamically rendered. ![]() The information displayed via the Transmission web client is loaded via AJAX calls and is entirely event driven. Transmission 2.50 on Fedora 17 was tested and shown to be vulnerable, but Transmission is a cross platform tool so it is possible versions for other operating systems (such as Mac, Windows, and other Linux) are vulnerable as well. This could lead to privacy compromises (such as if the script "phoned home" to another URL with client information) or client side attacks (such as drive by downloads). torrent file into Transmission and viewing the web client could be subject to arbitrary script injection, allowing an attacker to run arbitrary code in the context of the victim's web browser. torrent files that are loaded into the client resulting in an arbitrary script include (or cross site scripting (XSS)) vulnerability.Ĭlients loading a maliciously crafted. Unfortunately this web based client doesn't sanitize text from. Transmission includes functionality to enable a web based display of the application. Transmission ( ) is a popular, cross platform, open source BitTorrent client. OSVDB: 84242 Description of Vulnerability ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |