This is the beauty of open source. You can actually publish stuff like this without the fear that several black Tuesdays will pass before it’s patched.
Distributed under a GNU General Public license, KTorrent is a torrent client written in C++ for KDE. Feature wise, the client can compete with other popular clients, supporting protocol encryption, UDP trackers and web-seeding to name a few.
One feature, however, is posing a security threat to the user. According to a security alert, multiple serious vulnerabilities have been found in the client.
With a severity rated as ‘High’, the vulnerabilities are to be found in the client’s web interface plugin. Since the plugin does not successfully restrict access to the clients torrent upload functionality and fails to sanitize request parameters, it is vulnerable to exploitation.
The flaws can allow a malicious remote attacker to send specially crafted parameters to the web interface. This could enable remote arbitrary torrent uploads along with the possibility of remote code execution, within the same privileges as the KTorrent process itself.
A temporary workaround solution is to disable the web interface plugin. This can be achieved by clicking “plugins” in the config menu and unchecking the “Web Interface” checkbox.
Versions affected by this issue are 2.2.8 and earlier, so users updating to the latest version are protected from these security vulnerabilities.
Related Posts: On this day...
- BookArc laptop stand "speeds up" your computer - 2011
- SOCOM cheater convicted in grand jury investigation - 2010
- "The Ex" Knife Set and Holder - 2010
- OpenWRT $200,000 cash prize for open source router GUI web interface - 2009
- Ron Paul at CPAC 2009 - 2009
- Billboard Liberation Front vs. ATT + NSA - 2008
- 7 Sites You Can Only Find On The "Gopher Internet" - 2008