One feature, however, is posing a security threat to the user. According to a security alert, multiple serious vulnerabilities have been found in the client.

With a severity rated as ‘High’, the vulnerabilities are to be found in the client’s web interface plugin. Since the plugin does not successfully restrict access to the clients torrent upload functionality and fails to sanitize request parameters, it is vulnerable to exploitation.

The flaws can allow a malicious remote attacker to send specially crafted parameters to the web interface. This could enable remote arbitrary torrent uploads along with the possibility of remote code execution, within the same privileges as the KTorrent process itself.

A temporary workaround solution is to disable the web interface plugin. This can be achieved by clicking “plugins” in the config menu and unchecking the “Web Interface” checkbox.

Versions affected by this issue are 2.2.8 and earlier, so users updating to the latest version are protected from these security vulnerabilities.

Article from: TorrentFreak, check out our new blog at FreakBits.

The vulnerabilities were discovered in the components chunkcounter.cpp and torrent.cpp and can be exploited by getting a user to use a modified torrent file, resulting in the possible control of the OS with the same privileges as the Ktorrent user.

There is currently no work-around for the flaws but the situation can be remedied by upgrading to the latest version of Ktorrent, version 2.1.4.

KTorrent is a BitTorrent client written in C++ for KDE, offering mainline DHT and µTorrent compatible peer exchange, port forwarding via UPnP and protocol encryption for getting round those pesky traffic-shaping ISP’s.

KTorrent version 2.2 will be released later this month and will include new features such as multiple tabs, moving finished downloads to another directory, and diskspace preallocation. Another good reason to upgrade!

Article from: TorrentFreak, check out our new blog at FreakBits.