FreshRSS Favicon Cache Poisoning Vulnerability

A vulnerability in FreshRSS versions prior to 1.26.2 allows for favicon cache poisoning by manipulating feed URLs. When a feed is added with an attacker-controlled proxy that disables SSL verification, the favicon hash is calculated without considering the proxy details or SSL settings. This oversight enables the interception of feed responses to replace favicons with those from malicious sources, affecting all users. The vulnerability arises because the favicon hash relies solely on the feed URL, which can be altered by any user.

Impact

Exploitation of this vulnerability allows for the unauthorized replacement of feed favicons for all users, potentially with offensive images.

Reproduction

To reproduce this vulnerability, add a feed with a URL that can be intercepted. Set the proxy to an attacker-controlled one and disable SSL verification. After the feed is added, intercept the feed response and change the website URL to one that the attacker controls. Once the response is modified, the favicon will be replaced with one from the controlled URL. Clear the favicon cache to observe the change.

Remediation

Users can update to FreshRSS version 1.26.2 or later, where this vulnerability has been fixed.