Ticket #241 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

Security hole in the Snoopy library

Reported by: mbonetti Owned by: mbonetti
Priority: highest Milestone: Gregarius 0.5.5
Component: BUGS Version:
Severity: critical Keywords:
Cc:

Description

Whenever an SSL protected webpage is requested with one of the many Snoopy API calls, it calls the function _httpsrequest which takes the URL as argument. This function in turn calls the PHP-function exec with unchecked user-input. Using a specially crafted URL, an attacker can supply arbitrary commands that are executed on the web server with priviledges of the web user.

While the vulnerability can not be exploited using the Snoopy class file itself, there may exist implementations which hand unchecked URLs from users to snoopy.

Advisory

Change History

Changed 3 years ago by sdcosta

IMO, it looks like gregarius is not affected, since SJM's patch was applied to get https support. This was used instead of the official Snoopy sources.

We have the following line in source:trunk/rss/extlib/Snoopy.class.inc#latest 

 var $use_curl           = false;

and this is never set to true, so _curlrequest and the exec command are never called.

This is implemented differently in version 1.20 of Snoopy.

This needs to be checked however. I could be completely wrong.

Changed 3 years ago by sdcosta

Sorry I was being silly as usual. However if your php is compiled with curl-https support (on dreamhost the default php is) then you are not affected.

Changed 3 years ago by mbonetti

  • status changed from new to closed
  • resolution set to fixed

Lets trust php's escapeshellcmd() and call this fixed as of [994]

Note: See TracTickets for help on using tickets.