Opened 13 years ago

Closed 13 years ago

#4979 closed Bug (fixed)

Security issue

Reported by: MadIrish Owned by: jordan
Priority: Highest Milestone: 2.61
Component: Web Client Version: 2.60
Severity: Major Keywords: security, vulnerability
Cc:

Description

Hello,

I'm a security researcher and I believe I've identified a vulneraiblity in Transmission. Is there a contact e-mail or other secure way to report the issue (rather than a public ticket)? Thank you for any guidance you could provide. Please feel free to e-mail instructions and PGP public keys to the e-mail provided in my account.

-Justin

Change History (6)

comment:1 by jordan, 13 years ago

[email sent.]

comment:2 by jordan, 13 years ago

Milestone: None Set2.61
Owner: set to jordan
Status: newassigned

comment:3 by jordan, 13 years ago

Proposed fix in r13392:

  • There are a couple of cases in the Inspector where we really do need innerHTML because we're building the peer and tracker lists. In these cases, sanitize the inputs that could be used as attack vectors. For example, in the case of "<div>" + tor.getName() + "</div>", instead use sanitizeText(tor.getName()) where sanitizeText is defined at https://trac.transmissionbt.com/browser/trunk/web/javascript/common.js?rev=13392#L99

Confirmed in Opera, FF, and Chrome to prevent the proof-of-concept provided yesterday.

Justin, any thoughts on this patch? If things look good, I'm going to propose 2.61 for this weekend.

comment:4 by jordan, 13 years ago

Component: TransmissionWeb Client

comment:5 by MadIrish, 13 years ago

Hello,

the patch looks good to me. Mitre has assigned CVE-2012-4037 to this issue. Please let me know if I can provide any further assistance.

-Jusitn

comment:6 by livings124, 13 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.