search

jparyani / Tiny-Tiny-RSS

A PHP and Ajax feed reader
http://tt-rss.org/
GNU General Public License v2.0
10 stars 6 forks source link

SQL Injection Vulnerability #8

Open jacksingleton opened 8 years ago

jacksingleton commented 8 years ago

A SQL injection vulnerability was recently found in TTRSS.

I haven't tested but I presume this version is vulnerable.

Sandstorm does lessen the impact, but someone you share your grain with could feasibly exploit this bug.

http://seclists.org/fulldisclosure/2016/Feb/73

jparyani commented 8 years ago

Definitely worth updating for the fix, but I agree it appears to be mostly mitigated by Sandstorm's user sharing model. Since there's not any permissions/roles in the TinyTinyRSS's Sandstorm port, this isn't exploitable to a privilege escalation. A malicious user could delete/corrupt the DB though :)

kentonv commented 8 years ago

Yay, added to security non-events: https://github.com/sandstorm-io/sandstorm/pull/1537

Since we don't support permissions in TTRSS currently, if you share your feed with someone, you are sharing full administrative access -- they could delete all your subscriptions, subscribe you to shock images, etc. So it seems the SQL injection doesn't provide anything interesting on Sandstorm.

Thanks for filing this!