Tiny Tiny RSS: Community

Security issues? (from r/selfhosted)

Among some nattering, a reddit thread rises security issues:

Unsanitized request arguments (GET or POST) are being used as a global variable to invoke methods. This is insanely unsafe. Right there next to using request parameters blindly in an eval statement.
https://git.tt-rss.org/fox/tt-rss/src/master/backend.php#L5
https://git.tt-rss.org/fox/tt-rss/src/master/backend.php#L101

Is it justified?

I fixed the links for you…

well, first of all, tt-rss doesn’t invoke methods “blindly”.

you need to be authenticated to invoke a subset of handler classes from backend.php from several paths (within tt-rss) where tt-rss autoloader looks for them. you can’t really load anything else, like, some other applications code from tt-rss or whatever, even if you’re authenticated.

there’s a separate host for unauthorized users (public.php) which deals with logging in, etc - you can’t load random classes from there, only specifically whitelisted public stuff.

i’m not sure if this person simply didn’t notice the restrictions (backend.php:48) or decided to ignore it for whatever unknown reasons. tt-rss routing code is absurdly primitive, by design, so i’m not sure how anyone would not be able to figure out how it works by simply skimming through the code for a bit.

anyway, you can certainly try calling some random classes via backend.php but it won’t get you very far while not being logged in, i.e.:

WORKPC:~:$ curl "https://fakecake.org/tt-rss/backend.php?op=feeds&method=index"
{"error":{"code":6,"message":"Request not authorized."}}

if you have a valid logged session and pass CSRF/etc checks then yes you can use the router to invoke classes. you need to do that for the application to actually function as intended.

some classes have further restrictions if required, for example stuff that deals with administrative tasks requres the caller to have a proper access level.

it’s possible that i’m missing something here but this seems like a sensationalist “the sky is falling” kind of situation or an attempt to misguide people.

that said, if someone has a proof of conсept exploit for tt-rss, router or otherwise, i’m all ears. i suggest contacting me via email or PM, which is the usual practice for responsible disclosure.


i’ve skimmed through the “discussion” on Reddit and it’s the same old mix of

  • let’s rewrite everything in (flavor of the month meme framework/language) because things are not modern enough
  • discussing me personally re: being a horrible human being because i don’t bother mollycoddling forum posters which is an unthinkable sin for the soyface.jpg generation
  • kids larping as software engineers while being incredibly obvious at it

it’s all so tiresome.

Is it worth posting that to reddit?…

i honestly don’t care if some subreddit hivemind suddenly decides tt-rss is inherently insecure - with zero proofs - but it’s not like i can stop you from posting things there.

e: holy shit the discussion there is cringe inducing.

To be honest, I am not sure I want the flame war garbage that will follow…

i’ve pinned this topic in case people would come on this forum seeking further information because of that post.

e: re: that reddit post, i find it very amusing that people are talking about me not using git properly because it is decentralized while being seemingly incapable to deal with anything existing outside of github. :thinking:

Alright, thanks for your very quick, precise and complete reply. Appreciate it.

I totally agree. It’s a bit disturbing to see a complete code rewritter pretender publicly reveals (deflated) security issues in a software installed on hundred or thousand of servers.

12A9jp9R

that feel when a bunch of outraged redditors visit your website for all the wrong reasons

Now now, that could be just curiosity and as we all know, curiosity kills the cat. :grin:

there was one valid issue pointed to me in the aforementioned reddit thread: constructor of an object instantiated by tt-rss router had been called before it has been identified as a handler.

this could lead to a theoretical vulnerability if authorized user requests a non-IHandler tt-rss class which does something leading to an exploit in its constructor. i’m not aware of any such classes but anything is possible, i suppose.

the following commit tweaks router to instantiate classes via reflection so constructor is called after resulting object has been verified as a handler:

so i guess this circus has lead to at least one (admittedly, minor) bugfix which is always a good thing.

Your code is garbage. It’s beyond amateur and absolutely cringe-inducing.

9325080020

Middle aged white man shows his ass on the Internet. Perish the thought.

:poop:

hi cody, welcome to the community

we wish you well in your heroic endeavour to remove fox’s copyright and change tabs to spaces in your magnificent new fork!

Oh look a Brooklyn hipster. How original. I question anyone who decides to put this out on the internet for posterity.

I have been following the developments on reddit and your github lately.

I just wanna say that I appreciate your efforts to make ttrss more reliable and secure and I’m pretty sure the guys on this board do not represent the vast majority of ttrss users.

Then again I’m kinda disappointed by the fact that you registered here just to bitch about quality of code. Regardless of foxes attitude hhe is a foss developer dedicating his own free time to give us ttrss and I highly respect that.

So, if you are offensive it is fine. But if Fox (or anyone else here) is, that is not. Isn’t that the definition of hypocrisy?