Opened 13 years ago
Closed 13 years ago
#4979 closed Bug (fixed)
Security issue
| Reported by: | MadIrish | Owned by: | jordan |
|---|---|---|---|
| Priority: | Highest | Milestone: | 2.61 |
| Component: | Web Client | Version: | 2.60 |
| Severity: | Major | Keywords: | security, vulnerability |
| Cc: |
Description
Hello,
I'm a security researcher and I believe I've identified a vulneraiblity in Transmission. Is there a contact e-mail or other secure way to report the issue (rather than a public ticket)? Thank you for any guidance you could provide. Please feel free to e-mail instructions and PGP public keys to the e-mail provided in my account.
-Justin
Change History (6)
comment:1 by , 13 years ago
comment:2 by , 13 years ago
| Milestone: | None Set → 2.61 |
|---|---|
| Owner: | set to |
| Status: | new → assigned |
comment:3 by , 13 years ago
Proposed fix in r13392:
- Prefer element.textContent over element.innerHTML. Most of the time we're simply setting a label and don't need the extra power/pitfalls of the latter. This handles nearly all of the attack vectors.See also https://developer.mozilla.org/en/DOM/element.innerHTML#Security_consideration
- There are a couple of cases in the Inspector where we really do need innerHTML because we're building the peer and tracker lists. In these cases, sanitize the inputs that could be used as attack vectors. For example, in the case of
"<div>" + tor.getName() + "</div>", instead usesanitizeText(tor.getName())where sanitizeText is defined at https://trac.transmissionbt.com/browser/trunk/web/javascript/common.js?rev=13392#L99
Confirmed in Opera, FF, and Chrome to prevent the proof-of-concept provided yesterday.
Justin, any thoughts on this patch? If things look good, I'm going to propose 2.61 for this weekend.
comment:4 by , 13 years ago
| Component: | Transmission → Web Client |
|---|
comment:5 by , 13 years ago
Hello,
the patch looks good to me. Mitre has assigned CVE-2012-4037 to this issue. Please let me know if I can provide any further assistance.
-Jusitn
comment:6 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |

[email sent.]