Package: qbittorrent-nox
Version: 4.2.5-0.1
Severity: normal
Hi maintainer,
When upgrading qbittorrent from the version in buster (4.1.5-1+deb10u1)
to the version in bullseye (4.2.5-0.1), the password for the web
interface is automatically reset back to the default ("adminadmin")
without any warning to the user.
I believe this is due to a change in qbittorrent 4.2.0 which switched to
using PBKDF2 for storing web UI and GUI lock passwords [0], causing any
password set using old versions of qbittorrent to be ignored completely.
This is dangerous because qbittorrent may be exposed to the internet or
other untrusted traffic (e.g. via [1]). After an upgrade, the user's
qbittorrent instance will be accessible using the default, easily
guessable credentials. This will allow an attacker to view private
information, execute arbitrary scripts as the user running qbittorrent,
etc.
Reproduction steps:
1. Starting from buster, install qbittorrent-nox:
root@host:~$ apt-get install qbittorrent-nox=4.1.5-1+deb10u1
2. Run qbittorrent-nox:
root@host:~$ qbittorrent-nox
******** Information ********
To control qBittorrent, access the Web UI at http://localhost:8080
The Web UI administrator user name is: admin
The Web UI administrator password is still the default one: adminadmin
This is a security risk, please consider changing your password from
program preferences.
3. Log in to the web UI at http://localhost:8080 with the default
credentials (admin:adminadmin) and change the password from the
"Settings" menu. You can test by clearing your cookies that the
default username and password no longer work.
4. Stop qbittorrent-nox (e.g. Ctrl-C).
5. Upgrade your system from buster to bullseye, which brings in
qbittorrent-nox=4.2.5-0.1. (You can also reproduce this by manually
backporting just the qbittorrent-nox package and installing on a
buster host.)
6. Run qbittorrent-nox again:
root@host:~$ qbittorrent-nox
******** Information ********
To control qBittorrent, access the Web UI at http://localhost:8080
The Web UI administrator username is: admin
The Web UI administrator password is still the default one: adminadmin
This is a security risk, please consider changing your password from
program preferences.
Note that it indicates that the web UI password is at the default. You
can also verify at http://localhost:8080 that you can log in with the
default credentials (admin:adminadmin) again.
[0]: https://www.qbittorrent.org/news.php
[1]:
https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI
