Headline
GHSA-fg86-4c2r-7wxw: TorrentPier Deserialization of Untrusted Data vulnerability
Summary
In torrentpier/library/includes/functions.php
, get_tracks()
uses the unsafe native PHP serialization format to deserialize user-controlled cookies:
https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60
PoC
One can use phpggc
and the chain Guzzle/FW1
to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t
will be deserialized when browsing to viewforum.php
.
TorrentPier Deserialization of Untrusted Data vulnerability
Critical severity GitHub Reviewed Published Jul 13, 2024 in torrentpier/torrentpier • Updated Jul 15, 2024