This module will modify an existing instance of the RSS feed-reader widget, and will attempt to return it to its previous state when it has finished running.

Use of this module requires that the user log into the target Mahara system with their browser proxied through Burp Suite, OWASP ZAP, or a similar intercepting proxy in order to obtain the necessary session key and session cookie. The user represented by that session information must have permission to modify the target widget.

Mahara is a PHP-based application, so directory content enumeration is not possible - a specific target file (or list of specific target files) must be specified. In addition, while text and binary content can both be retrieved, the maximum file size is limited to about 4KB unless certain components on the target were compiled with nonstandard options.

This module uses Yunusov-Osipov-style out-of-band exploitation of a PHP-based application. As a result, it requires the use of an instance of She Wore A Mirrored Mask which is accessible (either directly, or via transparent TCP port-forwarding) to the target system.

This module will generally *not* be successful at sending XXE denial-of-service attacks (--dos-lulz or --dos-quad).