Summary

It's possible to poison the server-side feed favicon cache for other users by editing the website URL in a feed that has the same URL.

Details

The favicon hash is computed by hashing the feed URL and the salt, whilst not including the following variables inside the hash:

• website URL
• proxy address
• proxy protocol
• whether SSL should be verified

This is how the favicon filenames are created in faviconPrepare:

$txt = FAVICONS_DIR . $this->hash() . '.txt';
$ico = FAVICONS_DIR . $this->hash() . '.ico';

public function hash(): string {
	if ($this->hash == '') {
		$salt = FreshRSS_Context::systemConf()->salt;
		$this->hash = hash('crc32b', $salt . $this->url);
	}
	return $this->hash;
}

Since the $this->url variable only contains the feed's URL, which is linked to the website URL used for downloading the favicon, that is changeable by any user, anyone can alter the favicon's image for all users.

PoC

After adding a feed, go into its settings and edit the following field:

The applied favicon will be the one that's found at the newly set URL.

Then, go into the settings again and clear the cache:

The effects may not be observable instantly if the browser cached the image earlier, so it should be cleared to make sure the favicon has been replaced.

It's also possible to modify the website URL without going into the settings of the feed, by using a proxy with disabled SSL verifying to intercept the XML of the feed and changing the website URL inside of it.

Impact

Feed favicons can be replaced for all users by anyone, offensive images could be put inside the favicon.