New KTorrent version plugs security vulnerabilities
KTorrent version 3.1.4 is the new version of the free BitTorrent client for the KDE and Gnome Linux desktops. The new release of KTorrent fixes some stability problems and plugs a number of security vulnerabilities in the web interface. Secunia, the security services provider, says the latter included the possibility of PHP code being injected into the system and run by the use of crafted parameters, while access restrictions on uploads could be circumvented by specially crafted HTTP POST requests, allowing any Torrent files to be uploaded.
Successful exploitation of the vulnerabilities requires that the web interface plugin be enabled, which is not the default setting in KTorrent. Version 2.x of KTorrent is not affected by these issues.
- 3.1.4 released, announcement at ktorrent.org
- KTorrent Web Interface Torrent Upload and PHP Code Injection, Secunia advisory