GLSA-200902-05 : KTorrent: Multiple vulnerabilitites

This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200902-05
(KTorrent: Multiple vulnerabilitites)

The web interface plugin does not restrict access to the torrent upload
functionality (CVE-2008-5905) and does not sanitize request parameters
properly (CVE-2008-5906) .

Impact :

A remote attacker could send specially crafted parameters to the web
interface that would allow for arbitrary torrent uploads and remote
code execution with the privileges of the KTorrent process.

Workaround :

Disabling the web interface plugin will prevent exploitation of both
issues. Click 'Plugins' in the configuration menu and uncheck the
checkbox left of 'WebInterface', then apply the changes.

See also :

http://www.gentoo.org/security/en/glsa/glsa-200902-05.xml

Solution :

All KTorrent users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=net-p2p/ktorrent-2.2.8'

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 35731 (gentoo_GLSA-200902-05.nasl)

Bugtraq ID:

CVE ID: CVE-2008-5905
CVE-2008-5906