cbcvebase.
CVE-2020-25787
published 2020-09-19

CVE-2020-25787: An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does not validate all URLs before requesting them.

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.42%
96.9th percentile
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does not validate all URLs before requesting them.

Affected

2 ranges
VendorProductVersion rangeFixed in
debiantt-rss< tt-rss 21~git20210204.b4cbc79+dfsg-1 (bookworm)tt-rss 21~git20210204.b4cbc79+dfsg-1 (bookworm)
tt-rsstiny_tiny_rss< 2020-09-162020-09-16

Detection & IOCsextracted from sources · hover to see the quote

urlpublic.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=gopher://localhost:9000/_<FCGI_PAYLOAD>&text
path/var/www/html/tt-rss/backdoor.php
path/var/www/html/tt-rss/config.php
port9000
othergopher://localhost:9000/
  • Monitor HTTP requests to tt-rss containing the imgproxy plugin endpoint with a gopher:// scheme URL as the `url` parameter — this is the SSRF-to-FastCGI RCE attack vector.
  • Alert on creation of `backdoor.php` under the tt-rss web root (e.g. /var/www/html/tt-rss/backdoor.php), which is the dropped web shell from successful exploitation.
  • Detect outbound gopher:// scheme requests originating from the tt-rss application server, particularly targeting localhost port 9000 (PHP-FPM FastCGI), as this indicates SSRF abuse.
  • Look for FastCGI PHP_VALUE injection strings such as `allow_url_include = On` and `auto_prepend_file = php://input` in network traffic to port 9000, indicating FastCGI parameter manipulation for RCE.
  • Inspect inbound RSS/Atom feed XML files for embedded gopher:// URLs in item link or enclosure fields — the exploit delivers the attack vector via a crafted feed file named `malicious_RCE_feed.xml`.
  • Flag any tt-rss request where the `url` parameter value uses a non-HTTP/HTTPS scheme (e.g. gopher://, ftp://, dict://), as the vulnerability is that tt-rss does not validate all URLs before requesting them.
  • ·The exploit specifically targets the default Docker installation of tt-rss, where the web root is /var/www/html/tt-rss/ and PHP-FPM listens on localhost:9000. Deployments with non-standard paths or PHP-FPM sockets may require adjusted detection paths.
  • ·The fix was introduced in commit c3d14e1fa54c7dade7b1b7955575e2991396d7ef; all tt-rss versions before 2020-09-16 are vulnerable. Debian resolved it in package version 21~git20210204.b4cbc79+dfsg-1.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.