Login Sign Up

CVE-2021-28940

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-28940 is a command injection vulnerability in MagpieRSS 0.72 that allows remote attackers to execute arbitrary commands on affected systems. The vulnerability exists in the Snoopy.class.inc file where improper escaping of curl commands enables injection. This affects any system running vulnerable MagpieRSS versions with the debug or simple scripts accessible.

💻 Affected Systems

Products:
  • MagpieRSS
Versions: 0.72
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to /scripts/magpie_debug.php or /scripts/magpie_simple.php pages

📦 What is this software?

Magpierss by Magpierss Project

View all CVEs affecting Magpierss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level command execution, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web server compromise, data theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if scripts are disabled or proper input validation is implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available and requires minimal technical skill to execute

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.72 and later versions with proper escaping

Vendor Advisory: https://github.com/kellan/magpierss/commit/04d2a88b97fdba5813d01dc0d56c772d97360bb5

Restart Required: No

Instructions:

1. Update to latest MagpieRSS version. 2. Apply the patch from GitHub commit 04d2a88b. 3. Replace vulnerable Snoopy.class.inc file with patched version.

🔧 Temporary Workarounds

Disable vulnerable scripts

all

Remove or restrict access to magpie_debug.php and magpie_simple.php scripts

rm /path/to/magpierss/scripts/magpie_debug.php
rm /path/to/magpierss/scripts/magpie_simple.php

Web server access control

all

Block access to vulnerable scripts via web server configuration

# Apache: <Location "/scripts/magpie_*"> Require all denied </Location>
# Nginx: location ~ /scripts/magpie_* { deny all; }

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for RSS URL parameters
  • Deploy WAF rules to block command injection patterns in URL parameters

🔍 How to Verify

Check if Vulnerable:

Check if MagpieRSS version is 0.72 and if /scripts/magpie_debug.php or /scripts/magpie_simple.php are accessible

Check Version:

grep -r 'MagpieRSS' /path/to/installation/ | grep 'version'

Verify Fix Applied:

Verify Snoopy.class.inc file contains proper escaping in curl command execution (line 660+)

📡 Detection & Monitoring

Log Indicators:

  • Unusual curl command executions with pipe characters or semicolons
  • Access to magpie_debug.php or magpie_simple.php with suspicious URL parameters

Network Indicators:

  • HTTP requests to vulnerable scripts containing command injection patterns

SIEM Query:

source="web_logs" AND (uri="/scripts/magpie_debug.php" OR uri="/scripts/magpie_simple.php") AND (url="*;*" OR url="*|*" OR url="*`*")

📊 Metadata

CVE ID: CVE-2021-28940
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-116
Published: April 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28940, you might also want to check these:

CVE-2025-55729 10.0

CVE-2025-55729 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-116)
CVE-2022-23603 9.9

CVE-2022-23603 is a code injection vulnerability in iTunesRPC-Remastered, a Discord rich presence ap...

Same vulnerability type (CWE-116)
CVE-2024-38474 9.8

A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to...

Same vulnerability type (CWE-116)