TorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topic_id parameter
Description
TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In versions up to and including 2.8.8, an authenticated SQL injection vulnerability exists in the moderator control panel (modcp.php). Users with moderator permissions can exploit this vulnerability by supplying a malicious topic_id (t) parameter. This allows an authenticated moderator to execute arbitrary SQL queries, leading to the potential disclosure, modification, or deletion of any data in the database. Although it requires moderator privileges, it is still severe. A malicious or compromised moderator account can leverage this vulnerability to read, modify, or delete data. A patch is available at commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TorrentPier ≤2.8.8 has an authenticated SQL injection in modcp.php via the topic_id parameter, allowing moderators to execute arbitrary SQL queries.
Vulnerability
An authenticated SQL injection vulnerability exists in the moderator control panel (modcp.php) of TorrentPier, an open-source BitTorrent tracker engine, in versions up to and including 2.8.8 [1]. The root cause is that the topic_id parameter (passed as t in the request) is taken directly from user input and concatenated into an SQL query without sanitization or parameterization [1]. Specifically, in the vulnerable code block at lines 111-122 of modcp.php, the variable $topic_id is embedded directly into the WHERE t.topic_id = $topic_id clause [1].
Exploitation
To exploit this vulnerability, an attacker must have moderator privileges on a TorrentPier instance [1]. The attacker can supply a malicious topic_id value containing SQL syntax (e.g., boolean logic or time-based functions) to manipulate the query's execution [1]. A proof-of-concept demonstrates using sqlmap with sqlmap to automate time-based blind SQL injection against the t parameter [1].
Impact
Successful exploitation allows an authenticated moderator to execute arbitrary SQL queries against the database [1]. This can lead to the disclosure, modification, or deletion of any data stored in the database, including user credentials, private messages, and tracker configuration [1]. The severity is high because a compromised or malicious moderator account can fully compromise the database [1].
Mitigation
The vulnerability is patched in commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80, which casts the topic_id value to an integer before use [4]. This fix is included in version 2.8.9, released on 2025-11-28 [3]. Users should upgrade to version 2.8.9 or later [3]. Note that the TorrentPier project has since been archived and no further security patches are planned; self-hosted instances are responsible for their own security maintenance [2].
- Authenticated SQL Injection in Moderator Control Panel (modcp.php) via topic_id parameter
- GitHub - torrentpier/torrentpier: 🐂 TorrentPier. Bull-powered BitTorrent tracker engine
- Release v2.8.9 · torrentpier/torrentpier
- fix(security): prevent SQL injection in moderator panel topic_id para… · torrentpier/torrentpier@6a0f649
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
torrentpier/torrentpierPackagist | < 2.8.9 | 2.8.9 |
Affected products
2- Range: <=2.8.8
- torrentpier/torrentpierv5Range: <= 2.8.8
Patches
16a0f6499d89ffix(security): prevent SQL injection in moderator panel topic_id parameter (#2216)
1 file changed · +3 −3
modcp.php+3 −3 modified@@ -73,9 +73,9 @@ function validate_mode_condition($request_index, $mod_action = '') $user->session_start(['req_login' => true]); // Obtain initial vars -$forum_id = $_REQUEST[POST_FORUM_URL] ?? 0; -$topic_id = $_REQUEST[POST_TOPIC_URL] ?? 0; -$post_id = $_REQUEST[POST_POST_URL] ?? 0; +$forum_id = isset($_REQUEST[POST_FORUM_URL]) ? (int)$_REQUEST[POST_FORUM_URL] : 0; +$topic_id = isset($_REQUEST[POST_TOPIC_URL]) ? (int)$_REQUEST[POST_TOPIC_URL] : 0; +$post_id = isset($_REQUEST[POST_POST_URL]) ? (int)$_REQUEST[POST_POST_URL] : 0; $start = isset($_REQUEST['start']) ? abs((int)$_REQUEST['start']) : 0; $confirmed = isset($_POST['confirm']);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4rwr-8c3m-55f6ghsaADVISORY
- github.com/torrentpier/torrentpier/commit/6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80ghsax_refsource_MISCWEB
- github.com/torrentpier/torrentpier/releases/tag/v2.8.9ghsaWEB
- github.com/torrentpier/torrentpier/security/advisories/GHSA-4rwr-8c3m-55f6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.