Jump to content

Web UI is vulnerable to CSRF


bugmenot

Recommended Posts

Posted

Hello again,

I noticed that with a simple snippet like this:

<img src="http://localhost:PORT/gui/?action=setsetting&s=max_ul_rate&v=0" />

embedded into any website, anyone can change my upload rate (or the web UI password, for that matter).

I'm currently in the process of coding a custom web UI, and I'm aware of the token system. In fact, I'm using it, but µTorrent (1.8.2) still seems to accept requests without a token.

Posted

That's because webui.token_auth is disabled by default. You'll find that, when enabled, requests without a token simply cause µTorrent to spit back "invalid request".

Posted

Yes, that did the trick. Thanks for your help. :)

Anyhow, is there a reason for this setting to be disabled by default? I don't see why anyone would want it to be off.

Posted

To maintain backwards compatibility with older WebUI projects that haven't been updated to support token authentication. I'm not sure what the status is for current projects and their support for token authentication, but I tend to agree that it should probably be enabled by default now. It's already been part of µTorrent for at least a year, so most projects that haven't been updated to support token authentication are likely abandoned. The only exception to that would be the bookmarklet by kentyman, which can't support token authentication due to its very nature -- I'm not sure what we should do about it with regards to token authentication.

Posted

It'll depend on how many of the WebUI projects work with token authentication.

Edit: Apparently, very few UIs work with it, still. A very sad and unfortunate state of affairs. I think I might just write a utility to replace Send2UTorrent and uTorrentHandler that supports token authentication properly instead of waiting for the unlikely chance that the (seemingly) abandoned projects will come back to life.

In the end, I think the reason so many of the developers don't bother to support token authentication is directly because it's not enabled by default, so they think it's unimportant. On the contrary, it is important, and IMO, enough so that it's worth breaking abandoned projects just to keep users at least somewhat safer.

Edit: Warning to developers is up.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...