Blogtorrent is "a collection of PHP scripts that are designed to make it simple to host files for transfer via bittorrent". One of the scripts in the Blogtorrent doesn't correctly sanitize it's inputs, before using one of them to read and serve a file from the local system.
Credit:
The information has been provided by Steve Kemp.
Vulnerable Systems:
* Blog Torrent preview version 0.8
The above mentioned vulnerability can be exploited to remotely download any file upon the web server that is readable by the UID that the web server is running as.
The code in question is contained in btdownload.php and looks like this: echo file_get_contents('torrents/'.$_GET['file']);
Exploit:
The following URL can be used to download a file: htp://example/battletorrent/btdownload.php?type=torrent&file=../../etc/passwd (Adjust the ".."'s and the filename to suit your taste).
Fix:
While no new release is planned to address this hole the authors did commit a simple fix to their CVS repository.
