Re: [Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability

From: SEC Consult Research (research_at_sec-consult.com)
Date: 10/27/05

  • Next message: Nicob: "Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit." 
    Date: Thu, 27 Oct 2005 16:14:52 +0200 (CEST)
To: "Florian Weimer" <fw@deneb.enyo.de>

    On Thu, October 27, 2005 10:12 am, Florian Weimer said:
    > Have you considered in your analysis that malicious servers might
    > return HTTP redirects which contain suitable URLs? This requires that
    > the offsiteok member is set to true, though, because in the version I
    > looked at, only http:// URLs are considered site-local.

    Yes, I can confirm this. While I have not thought of this possibility, it
    seems to boost the risk coming from the vulnerability.

    I found the flaw during a review of Wordpress which uses MagpieRSS which
    in turn uses Snoopy. As MagpieRSS is widly used, the concequence is that
    any RSS feed-provider can replace the feed with a small redirect script,
    exploiting the flaw with a crafted redirect https URL. Doing this with a
    highly frequented RSS feed might result in many many servers being
    simultaniously compromized. I might add that the offsiteok member defaults
    to true and MagpieRSS does not seem to change that default value.

    A notice to MagpieRSS has already been sent.

    Daniel

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    SEC Consult Unternehmensberatung GmbH

    Office Vienna
    Blindengasse 3
    A-1080 Wien
    Austria

    Tel.: +43 / 1 / 409 0307 - 570
    Fax.: +43 / 1 / 409 0307 - 590
    Mail: office at sec-consult dot com
    www.sec-consult.com

    EOF Daniel Fabian / @2005
    d.fabian at sec-consult dot com

  • Next message: Nicob: "Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit."

    Relevant Pages

    • Re: [Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability
      ... > Have you considered in your analysis that malicious servers might ... > return HTTP redirects which contain suitable URLs? ... I found the flaw during a review of Wordpress which uses MagpieRSS which ... exploiting the flaw with a crafted redirect https URL. ...
      (Full-Disclosure)
    • Re: URL Redirection problems
      ... (particularly 301 - Permanet redirect). ... Use HTTP redirects only. ... access to the web server config file and, as this is a rather cheap ... always allow an .htaccess file for all users. ...
      (comp.infosystems.www.servers.unix)