Magpie Vulnerability

October 27th, 2005

In (hopefully) unrelated news, I was just notified that there is a security vulnerability in Snoopy, and hence Magpie. Apparently there is an attack that leverages the fact that Snoopy passes unfiltered arguments to curl that allows for arbitrary code execution. Here is a note I just sent to the mailing list

If you’re running Magpie in a context where you allow people to submit unreviewed URLs, and you have PHP compiled with cURL SSL support then this vulnerability effects you.

Given a specially crafted (and very simple) URL, an attacker can execute arbitrary code in the web server context. There is no escalation possibly with this vulnerability, though potentially it could be combined with other attacks to allow some sort of permissions escalation.

I’ll will release a patch, and a new version this evening unless someone beats me to it. (unfortunately we haven’t been given a grace period here)

Its a variation on the traditional PHP null terminated string attack. (Does make me wish I had made it to Chris’ talk when he was here a few weeks ago, rather then being 1 of 3000 people turned away from the Murakami talk at MIT)

update 2005-10-28T15:33Z: I’ve got a patch out, waiting for a few people to sanity check it, before rolling out a new release.

Tagged: Uncategorized , , ,

Comments are closed.