Opened 8 years ago

Closed 8 years ago

#4979 closed Bug (fixed)

Security issue

Reported by: MadIrish Owned by: jordan
Priority: Highest Milestone: 2.61
Component: Web Client Version: 2.60
Severity: Major Keywords: security, vulnerability
Cc:

Description

Hello,

I'm a security researcher and I believe I've identified a vulneraiblity in Transmission. Is there a contact e-mail or other secure way to report the issue (rather than a public ticket)? Thank you for any guidance you could provide. Please feel free to e-mail instructions and PGP public keys to the e-mail provided in my account.

-Justin

Change History (6)

comment:1 Changed 8 years ago by jordan

[email sent.]

comment:2 Changed 8 years ago by jordan

  • Milestone changed from None Set to 2.61
  • Owner set to jordan
  • Status changed from new to assigned

comment:3 Changed 8 years ago by jordan

Proposed fix in r13392:

  • There are a couple of cases in the Inspector where we really do need innerHTML because we're building the peer and tracker lists. In these cases, sanitize the inputs that could be used as attack vectors. For example, in the case of "<div>" + tor.getName() + "</div>", instead use sanitizeText(tor.getName()) where sanitizeText is defined at https://trac.transmissionbt.com/browser/trunk/web/javascript/common.js?rev=13392#L99

Confirmed in Opera, FF, and Chrome to prevent the proof-of-concept provided yesterday.

Justin, any thoughts on this patch? If things look good, I'm going to propose 2.61 for this weekend.

comment:4 Changed 8 years ago by jordan

  • Component changed from Transmission to Web Client

comment:5 Changed 8 years ago by MadIrish

Hello,

the patch looks good to me. Mitre has assigned CVE-2012-4037 to this issue. Please let me know if I can provide any further assistance.

-Jusitn

comment:6 Changed 8 years ago by livings124

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.