The following are proof of concept exploits against three bittorrent clients. uTorrent' WebUI, Azurues's "HTML WebUI", and TorrentFlux. More information: TorrentFlux v2.3(Latest) If you force TorrentFlux to download a torrent that contains a file backdoor.php you will be able to execute it by browsing here: http://localhost/torrentflux_2.3/html/downloads/USER_NAME/ You do not have to know a password to access this folder, but you will have to know the username.
Add an admistrative account:
uTorrent’s WebUI is also affected: force file download: utorrent change administrative login information: After the username or password have been changed then the browser must re-authenticate., So is Azurues’s HTML WebUI: Force file download: