Vulnerabilities in the popular Tiny Tiny RSS (TT-RSS) feed reader that posed a remote code execution threat and could have been exploited on a large scale have been resolved.
A number of TT-RSS disorders were discovered after a systematic evaluation through security researchers Daniel Neagaru and Benjamin Nadarevia of the security company DigeeX.
Andrew Dolgov, the lead developer of TT-RSS, temporarily moved to resolve any reported issues, allowing researchers to publish a detailed description of their findings to the public this week.
DigeeX praised the developers who discussed the outreach process.
“We don’t know how other RSS readers compare to TT-RSS, but we know that the developer has corrected all our discoveries and more, and is moving the task in the right direction,” Dolgov told the Daily Swig.
In their writings, the researchers explained how they discovered a succession of security vulnerabilities in TT-RSS through a combination of source code research and review of Internet application habits.
During the process, two cross-site script (XSS) failures were discovered, server-side question forgery (SSRF), and the inclusion of local records (LFI) in TT-RSS.
Careful paints revealed that these security bugs can be used in mixing to perform remote code execution (RCE) in the installation of the default TT-RSS docker.
The effect of resolved vulnerabilities is serious because it may have been abused to infect TT-RSS servers en masse without targeting each user individually, Dolgov said.
“To exploit the remote code execution loophole, an attacker will have to have access to a popular flow, either yours or a compromised website,” Dolgov said.
Learn more about the latest open software security news
“Our studies have focused on operating the installation method, which uses docker, with one of the boxes running PHP-FPM on port 9000.
“In such situations, it is conimaginable that a risky actor with access to the popular source creates a new malicious article, which will abuse libcurl help for the Gopher protocol, create a traditional FastCGI package, send it to PHP-FPM and install a backdoor on the server,” he added.
Even when situations are not met, Dolgov warned, an attacker can abuse the flaw to run LFI / SSRF, and “combine it with the XSS vulnerabilities that we found, to borrow sensitive knowledge from the server. “
Tiny Tiny RSS is an open and free RSS and Atom feed aggregator and reader. Generation functions as an AJAX server-side application.
YOU LOVE Security Researchers Solve Cryptography Flaws in JHipster Applications
Suite Burp
Vulnerabilities
Customers
company
Insights