Vulnerability Note VU#338956

DOMIT! RSS testing_domitrss.php discloses local files

Original Release date: 11 Jan 2013 | Last revised: 11 Jan 2013

Overview

A vulnerability in DOMIT! RSS allows an attacker to read local files.

Description

DOMIT! RSS is an RSS parser for PHP. DOMIT! RSS includes a test script called testing_domitrss.php. This script writes out the contents of any user-supplied URL to a local file named the MD5 hash of the URL (e.g., md5 -s [string]). The script doesn't validate the user-supplied URL, so an attacker can provide any string as input, such as a local file (e.g., /etc/passwd) and predictably know the name of the file to access it.

DOMIT! RSS Parser is included as a component in other software packages, notably trixbox and SugarCRM. Reports indicate scanning activity for vulnerable trixbox installations.

Impact

An unauthenticated remote attacker could read any file accessible to the user executing testing_domitrss.php (typically the web server process).

Solution

Remove testing_domitrss.php

Remove testing_domitrss.php from production systems.

Update

trixbox has reported that this functionality has been removed in trixbox 2.8. testing_domitrss.php is not present in trixbox 2.6.22. The script is present in trixbox 2.2.12. In limited testing, at least one trixbox version the script was present but read access to files is denied by the web server configuration.

SugarCRM fixed a similar vulnerability in versions 4.5.1j and 5.0.0c.

Vendor Information (Learn More)

Any software that uses DOMIT! RSS may be affected, not only trixbox and SugarCRM.

VendorStatusDate NotifiedDate Updated
FonalityAffected15 Jul 200911 Jan 2013
SugarCRMAffected-11 Jan 2013
trixboxAffected15 Jul 200911 Jan 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 6.2 E:F/RL:OF/RC:C
Environmental 1.6 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

This document was written by Art Manion.

Other Information

  • CVE IDs: Unknown
  • Date Public: 04 Feb 2009
  • Date First Published: 11 Jan 2013
  • Date Last Updated: 11 Jan 2013
  • Document Revision: 19

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.