Ubuntu / Linux news and application reviews.

A malicious attacker can send parameters to the web interface, which could enable remote torrent uploads with the possibility of remote code execution. A workaround is to disable the web interface plugin in KTorrent ("Plugins" > uncheck "Web Interface").

Two vulnerabilities have been discovered in the web interface plugin for the KDE BitTorrent client, KTorrent. A malicious attacker sending specially crafted parameters to the interface could enable both remote code execution and arbitrary torrent uploads.

Says TorrentFreak blog

Versions affected by this issue are 2.2.8 and earlier, so users updating to the latest version are protected from these security vulnerabilities.

What is KTorrent?

KTorrent is a BitTorrent program for KDE. You can use it to download and upload
files on the BitTorrent network. Additional KTorrent features include:
- uTorrent compatible peer exchange
- Zeroconf extension to find peers on the local network
- WebGUI plugin
- Grouping feature to put torrents into groups with configurable for the
torrent of each group.
- Downloads torrent files
- Upload and download speed capping
- Speed limits for individual torrents
- Internet searching using various search engines, you can even add
your own
- UDP Trackers
- Port forwarding with UPnP
- IP blocking plugin
- Importing of partially or fully downloaded files
- Support for distributed hash tables (mainline version)
- Protocol encryption
- Bandwith scheduling
- Directory scanner to automatically load torrents in certain directories
- Trackers can be added to torrents
- File prioritization for multi file torrents
- Option to fully preallocate diskspace to avoid fragmentation
- Diskspace monitoring, with option to stop torrents when diskspace is
running low
- Statistics plugin
- IPv6 support
- SOCKSv4 and v5 support
- The network interface to use can be selected
- Individual files of a torrent can be moved
- Queue Manager Gui
- Media Player plugin
- Webseeds