search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

DOMIT! RSS testing_domitrss.php discloses local files

Vulnerability Note VU#338956

Original Release Date: 2013-01-11 | Last Revised: 2013-01-11

Overview

A vulnerability in DOMIT! RSS allows an attacker to read local files.

Description

DOMIT! RSS is an RSS parser for PHP. DOMIT! RSS includes a test script called testing_domitrss.php. This script writes out the contents of any user-supplied URL to a local file named the MD5 hash of the URL (e.g., md5 -s [string]). The script doesn't validate the user-supplied URL, so an attacker can provide any string as input, such as a local file (e.g., /etc/passwd) and predictably know the name of the file to access it.

DOMIT! RSS Parser is included as a component in other software packages, notably trixbox and SugarCRM. Reports indicate scanning activity for vulnerable trixbox installations.

Impact

An unauthenticated remote attacker could read any file accessible to the user executing testing_domitrss.php (typically the web server process).

Solution

Remove testing_domitrss.php

Remove testing_domitrss.php from production systems.

Update

trixbox has reported that this functionality has been removed in trixbox 2.8. testing_domitrss.php is not present in trixbox 2.6.22. The script is present in trixbox 2.2.12. In limited testing, at least one trixbox version the script was present but read access to files is denied by the web server configuration.

SugarCRM fixed a similar vulnerability in versions 4.5.1j and 5.0.0c.

Vendor Information

Any software that uses DOMIT! RSS may be affected, not only trixbox and SugarCRM.

338956
 
Expand all

Fonality Affected

Notified:  July 15, 2009 Updated: January 11, 2013

Statement Date:   April 30, 2010

Status

Affected

Vendor Statement

You can download any of the 2.8 version and then do a code update from the GUI. This will get you the latest code. The insecure RSS code was removed in the newer version.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

SugarCRM Affected

Updated:  January 11, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_local_file_disclosure.pdf

If you have feedback, comments, or additional information about this vulnerability, please send us email.

trixbox Affected

Notified:  July 15, 2009 Updated: January 11, 2013

Statement Date:   April 30, 2010

Status

Affected

Vendor Statement

You can download any of the 2.8 version and then do a code update from the GUI. This will get you the latest code. The insecure RSS code was removed in the newer version.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 6.2 E:F/RL:OF/RC:C
Environmental 1.6 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Art Manion.

Other Information

CVE IDs: None
Date Public: 2009-02-04
Date First Published: 2013-01-11
Date Last Updated: 2013-01-11 23:43 UTC
Document Revision: 19

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis