When opening an RSS entry link in a browser (ie, pressing o), the Application::openArticleLink() function calls system(openCmd.c_str()); to open the URL in a web browser.
openCmd is constructed in part from the article URL (article->url) from the remote feed. No validation is performed on article->url, allowing injection of arbitrary commands.
The following simple proof of concept demonstrates this issue. Also note that the command injection is effectively invisible as the link is not printed anywhere in the user interface. Upon pressing o, the link is opened immediately and without warning, resulting in execution of the injected command (id >/tmp/pwned).
Describe the bug
When opening an RSS entry link in a browser (ie, pressing
o
), theApplication::openArticleLink()
function callssystem(openCmd.c_str());
to open the URL in a web browser.openCmd
is constructed in part from the article URL (article->url
) from the remote feed. No validation is performed onarticle->url
, allowing injection of arbitrary commands.https://github.com/tomschwarz/neix/blob/9924d7d52d67a3125882e3905497159a6af0b3c0/src/application/Application.cpp#L526-L545
The following simple proof of concept demonstrates this issue. Also note that the command injection is effectively invisible as the link is not printed anywhere in the user interface. Upon pressing
o
, the link is opened immediately and without warning, resulting in execution of the injected command (id >/tmp/pwned
).To Reproduce
Steps to reproduce the behavior:
feeds.conf
- for example:[rss] rss=http://your.web.server.local/rss
./bin/neix -f /path/to/your/feeds.conf
o
cat /tmp/pwned
for output ofid
Expected behavior
The article URL should be opened in a web browser without also executing arbitrary system commands specified in the feed article URL.