BBBSnowball
commented
7 years ago The dropbox link doesn't explain the vulnerability. It is only an "icon". See http://web.archive.org/web/20160304140911/https://dl.dropboxusercontent.com/u/402325/dontdelete/magpie.jpg
I have never seen the demo while it was still live and I can only guess what the vulnerability might be. I hope this helps anyway.
The author says that users were able to see the whole filesystem (see https://github.com/charlesthomas/magpie/issues/73#issuecomment-190828371). I think this is related to the setting for the repository path. The setting is available via the web interface so an attacker is able to view any git repository (if permissions for the magpie user allow that). I have never tried setting this to a non-git directory but that may yield interesting results. I'm not sure whether this functionality was disabled in the demo.
If magpie is running from a clone of this repository and the magpie user can write to that directory, you have remote code execution (if you can guess or find out the path to the repo).
In addition, the code that handles settings doesn't handle special characters. This is not required for normal operation. However, I think this may also allow remote code execution.
I'm using magpie with external access controls (in a VPN) and I trust all the users (only me) so I'm not too woried about the vulnerability. Nonetheless, I would also like to know whether charlesthomas knows any additional vulnerabilities. They are probably not too hard to fix once we know where to look.
jcrben
It seems that the dropbox link which disclosed the security vulnerability is a dead link. Would you mind explaining it so that other developers can learn from it?