---------------------------------------------------------------------- Accurate Vulnerability Scanning No more false positives, no more false negatives http://secunia.com/vulnerability_scanning/ ---------------------------------------------------------------------- TITLE: Transmission "name" Key Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA38005 VERIFY ADVISORY: http://secunia.com/advisories/38005/ DESCRIPTION: Dan Rosenberg has reported a vulnerability in Transmission, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application not properly sanitising the "name" key before saving files. This can be exploited to overwrite arbitrary files on the local system when a user is tricked into opening a specially crafted .torrent file containing directory traversal sequences in the name key. The vulnerability is reported in versions prior to 1.77. SOLUTION: Update to version 1.77. PROVIDED AND/OR DISCOVERED BY: Dan Rosenberg CHANGELOG: 2010-01-08: Added CVE reference. ORIGINAL ADVISORY: https://bugs.launchpad.net/ubuntu/+source/transmission/+bug/500625 http://trac.transmissionbt.com/wiki/Changes#version-1.77 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------