Security Issue: Users can see each others data via the HTTP Downloads


#21

I’ve discussed previously in private about a whitelabel/side project. I would be happy to keep to that idea.

Just to point out though that I was not first person to mention this bug, I was simply creating topic for it in correct section. It was not meant in any way to push for commercial suited use.


#22

If you are still experiencing this issue, then I would encourage you to double check your apache aliases to ensure that they are configured properly for each and every user.

If there is a block that contains the value:

Require valid-user

Then any logged in user will have access to the directory, regardless of who they are.

Alias /USER.rtorrent.downloads "/home/USER/torrents/rtorrent/"
<Directory "/home/USER/torrents/rtorrent/">
  Options Indexes FollowSymLinks MultiViews
  AuthType Digest
  AuthName "rutorrent"
  AuthUserFile '/etc/htpasswd'
  Require user USER
  AllowOverride None
  Order allow,deny
  allow from all
  php_admin_value engine Off
</Directory>
Alias /USER.deluge.downloads "/home/USER/torrents/deluge/"
<Directory "/home/USER/torrents/deluge/">
  Options Indexes FollowSymLinks MultiViews
  AuthType Digest
  AuthName "rutorrent"
  AuthUserFile '/etc/htpasswd'
  Require user USER
  AllowOverride None
  Order allow,deny
  allow from all
  php_admin_value engine Off
</Directory>

Finally, please ensure there are no left over symlinks of download directories in /srv/rutorrent/home. It’s possible a symlink here may supercede an apache config pointing at the same location.


#23

Thanks Liza, I’ll look into this. Much appreciated :slight_smile: