When checking in database if my users have updated their hashed passwords, I saw that mine is not updated. So, I tried to log-out and -in, and me password is not updated with the new hash algo.
But, in the code, I saw that the password is forced to be updated in the check_password function, so I tried to login again, with a bad password but a correct OTP, and it was successful.
I do not know if this is a bug, or (weirdly?) if a correct OTP is considered sufficient to login to TT-RSS.
btw, this is the kind of stuff best reported in private. imagine if it was something easier exploitable, your public report gave everyone 7 hours to play around with it (and more, until people update).
Thanks everyone for your work. I have always wondered though why fox and others put so much work into security for TT-RSS. What are people using TT-RSS for that warrants so much security, like getting a CVE for this, using OTP for logins, and the csrf protections?
I use TT-RSS to read news, changelogs, comics, announcements, etc. I want it to be secure so hackers don’t mess up my settings and mark things as read before I read them, but those would just be annoyances that I’d fix using web server level password protection.
I wish other OSS projects would put this level of effort into their programs’ security.
i wouldn’t bother with a cve (i have no idea where one would get it anyway), i don’t use otp for tt-rss because who cares, the only thing that’s really unavoidable is csrf, if there’s any internet content involved.
yeah this is pretty much the extent of horrific exploits possible via properly containerized tt-rss.
Why is everyone understating the value of daily comics?
I don’t even use passwords… I just use certificates to authenticate. It’s annoying to setup, but it’s a one time thing and then I never have to “login” to TT-RSS, I just visit the web site and read.
this guy gets it. i could get by with md5 unsalted passwords but i can’t survive without af_comics.
e: its a shame after tumblr died many people moved to instagram which is apparently pretty much impossible to scrape. tumblr had rss feeds. good times.
Hey! I’m a security researcher, so I am a bit biased, but here’s my take on it:
Good security is done in layers (see swiss cheese model). An extreme example would be someone compromising the TT-RSS instance, gaining RCE (Remote Code Execution), and using a Docker escape exploit to breach the entire server running the Docker daemon.
Assuming the Docker installation is safe, there are still risks in compromising the TT-RSS instance, as shown in our previous research where we could gain RCE. We were able to use a combination of relatively low-impact bugs to compromise the entire installation. In this example, an attacker with access to a popular RSS feed could run arbitrary code on all TT-RSS clients subscribed to this feed, thus making it possible to build a botnet for other nefarious purposes. I encourage you to read the report if you want to know more about it.
Coming back to the current vulnerability, the impact is obviously low. But requesting a CVE still has positive value for internet security. Whether fox likes it or not, many Linux distributions package their own TT-RSS, which is rarely updated. I saw some developers fixed the issues we discovered few months after we made the report public, and that was for an RCE. By issuing a public CVE identifier, we make them aware of existing security issues, increasing the chance they’ll update.
