Opened 11 years ago
Closed 11 years ago
#4979 closed Bug (fixed)
Security issue
| Reported by: | MadIrish | Owned by: | jordan |
|---|---|---|---|
| Priority: | Highest | Milestone: | 2.61 |
| Component: | Web Client | Version: | 2.60 |
| Severity: | Major | Keywords: | security, vulnerability |
| Cc: |
Description
Hello,
I'm a security researcher and I believe I've identified a vulneraiblity in Transmission. Is there a contact e-mail or other secure way to report the issue (rather than a public ticket)? Thank you for any guidance you could provide. Please feel free to e-mail instructions and PGP public keys to the e-mail provided in my account.
-Justin
Change History (6)
comment:1 Changed 11 years ago by jordan
comment:2 Changed 11 years ago by jordan
- Milestone changed from None Set to 2.61
- Owner set to jordan
- Status changed from new to assigned
comment:3 Changed 11 years ago by jordan
Proposed fix in r13392:
- Prefer element.textContent over element.innerHTML. Most of the time we're simply setting a label and don't need the extra power/pitfalls of the latter. This handles nearly all of the attack vectors.See also https://developer.mozilla.org/en/DOM/element.innerHTML#Security_consideration
- There are a couple of cases in the Inspector where we really do need innerHTML because we're building the peer and tracker lists. In these cases, sanitize the inputs that could be used as attack vectors. For example, in the case of "<div>" + tor.getName() + "</div>", instead use sanitizeText(tor.getName()) where sanitizeText is defined at https://trac.transmissionbt.com/browser/trunk/web/javascript/common.js?rev=13392#L99
Confirmed in Opera, FF, and Chrome to prevent the proof-of-concept provided yesterday.
Justin, any thoughts on this patch? If things look good, I'm going to propose 2.61 for this weekend.
comment:4 Changed 11 years ago by jordan
- Component changed from Transmission to Web Client
comment:5 Changed 11 years ago by MadIrish
Hello,
the patch looks good to me. Mitre has assigned CVE-2012-4037 to this issue. Please let me know if I can provide any further assistance.
-Jusitn
comment:6 Changed 11 years ago by livings124
- Resolution set to fixed
- Status changed from assigned to closed

[email sent.]