Package: qbittorrent-nox Version: 4.2.5-0.1 Severity: normal Hi maintainer,
When upgrading qbittorrent from the version in buster (4.1.5-1+deb10u1) to the version in bullseye (4.2.5-0.1), the password for the web interface is automatically reset back to the default ("adminadmin") without any warning to the user. I believe this is due to a change in qbittorrent 4.2.0 which switched to using PBKDF2 for storing web UI and GUI lock passwords [0], causing any password set using old versions of qbittorrent to be ignored completely. This is dangerous because qbittorrent may be exposed to the internet or other untrusted traffic (e.g. via [1]). After an upgrade, the user's qbittorrent instance will be accessible using the default, easily guessable credentials. This will allow an attacker to view private information, execute arbitrary scripts as the user running qbittorrent, etc. Reproduction steps: 1. Starting from buster, install qbittorrent-nox: root@host:~$ apt-get install qbittorrent-nox=4.1.5-1+deb10u1 2. Run qbittorrent-nox: root@host:~$ qbittorrent-nox ******** Information ******** To control qBittorrent, access the Web UI at http://localhost:8080 The Web UI administrator user name is: admin The Web UI administrator password is still the default one: adminadmin This is a security risk, please consider changing your password from program preferences. 3. Log in to the web UI at http://localhost:8080 with the default credentials (admin:adminadmin) and change the password from the "Settings" menu. You can test by clearing your cookies that the default username and password no longer work. 4. Stop qbittorrent-nox (e.g. Ctrl-C). 5. Upgrade your system from buster to bullseye, which brings in qbittorrent-nox=4.2.5-0.1. (You can also reproduce this by manually backporting just the qbittorrent-nox package and installing on a buster host.) 6. Run qbittorrent-nox again: root@host:~$ qbittorrent-nox ******** Information ******** To control qBittorrent, access the Web UI at http://localhost:8080 The Web UI administrator username is: admin The Web UI administrator password is still the default one: adminadmin This is a security risk, please consider changing your password from program preferences. Note that it indicates that the web UI password is at the default. You can also verify at http://localhost:8080 that you can log in with the default credentials (admin:adminadmin) again. [0]: https://www.qbittorrent.org/news.php [1]: https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI