FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
3e5b8bd3-0c32-452f-a60e-beab7b762351	transmission-daemon -- vulnerable to dns rebinding attacks Google Project Zero reports: The transmission bittorrent client uses a client/server architecture, the user interface is the client which communicates to the worker daemon using JSON RPC requests. As with all HTTP RPC schemes like this, any website can send requests to the daemon listening on localhost with XMLHttpRequest(), but the theory is they will be ignored because clients must prove they can read and set a specific header, X-Transmission-Session-Id. Unfortunately, this design doesn't work because of an attack called "DNS rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost. Exploitation is simple, you could set script-torrent-done-enabled and run any command, or set download-dir to /home/user/ and then upload a torrent for .bashrc. Discovery 2017-11-30 Entry 2018-01-14 transmission-daemon le 2.92_3 https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 https://github.com/transmission/transmission/pull/468

VuXML ID

Description

3e5b8bd3-0c32-452f-a60e-beab7b762351

transmission-daemon -- vulnerable to dns rebinding attacks

Google Project Zero reports:

The transmission bittorrent client uses a client/server architecture, the user interface is the client which communicates to the worker daemon using JSON RPC requests.

As with all HTTP RPC schemes like this, any website can send requests to the daemon listening on localhost with XMLHttpRequest(), but the theory is they will be ignored because clients must prove they can read and set a specific header, X-Transmission-Session-Id. Unfortunately, this design doesn't work because of an attack called "DNS rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.

Exploitation is simple, you could set script-torrent-done-enabled and run any command, or set download-dir to /home/user/ and then upload a torrent for .bashrc.

Discovery 2017-11-30
Entry 2018-01-14
transmission-daemon

le 2.92_3

https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
https://github.com/transmission/transmission/pull/468