Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mZzg2LTRjMnItN3d4d84AA95b
TorrentPier Deserialization of Untrusted Data vulnerability
Summary
In torrentpier/library/includes/functions.php, get_tracks() uses the unsafe native PHP serialization format to deserialize user-controlled cookies:
PoC
One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZzg2LTRjMnItN3d4d84AA95b
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 2 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-fg86-4c2r-7wxw, CVE-2024-40624
References:
- https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw
- https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e
- https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60
- https://nvd.nist.gov/vuln/detail/CVE-2024-40624
- https://github.com/advisories/GHSA-fg86-4c2r-7wxw
Blast Radius: 1.0
Affected Packages
packagist:torrentpier/torrentpier
Dependent packages: 0Dependent repositories: 0
Downloads: 335 total
Affected Version Ranges: <= 2.4.3
No known fixed version
All affected versions: 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.4.3