Vulnerability Note VU#338956

DOMIT! RSS is an RSS parser for PHP. DOMIT! RSS includes a test script called testing_domitrss.php. This script writes out the contents of any user-supplied URL to a local file named the MD5 hash of the URL (e.g., md5 -s [string]). The script doesn't validate the user-supplied URL, so an attacker can provide any string as input, such as a local file (e.g., /etc/passwd) and predictably know the name of the file to access it.

DOMIT! RSS Parser is included as a component in other software packages, notably trixbox and SugarCRM. Reports indicate scanning activity for vulnerable trixbox installations.

An unauthenticated remote attacker could read any file accessible to the user executing testing_domitrss.php (typically the web server process).

Remove testing_domitrss.php

Remove testing_domitrss.php from production systems.

Update

trixbox has reported that this functionality has been removed in trixbox 2.8. testing_domitrss.php is not present in trixbox 2.6.22. The script is present in trixbox 2.2.12. In limited testing, at least one trixbox version the script was present but read access to files is denied by the web server configuration.

SugarCRM fixed a similar vulnerability in versions 4.5.1j and 5.0.0c.

Any software that uses DOMIT! RSS may be affected, not only trixbox and SugarCRM.