lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu Oct 27 15:15:00 2005 From: research at sec-consult.com (SEC Consult Research) Subject: SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability On Thu, October 27, 2005 10:12 am, Florian Weimer said: > Have you considered in your analysis that malicious servers might > return HTTP redirects which contain suitable URLs? This requires that > the offsiteok member is set to true, though, because in the version I > looked at, only http:// URLs are considered site-local. Yes, I can confirm this. While I have not thought of this possibility, it seems to boost the risk coming from the vulnerability. I found the flaw during a review of Wordpress which uses MagpieRSS which in turn uses Snoopy. As MagpieRSS is widly used, the concequence is that any RSS feed-provider can replace the feed with a small redirect script, exploiting the flaw with a crafted redirect https URL. Doing this with a highly frequented RSS feed might result in many many servers being simultaniously compromized. I might add that the offsiteok member defaults to true and MagpieRSS does not seem to change that default value. A notice to MagpieRSS has already been sent. Daniel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF Daniel Fabian / @2005 d.fabian at sec-consult dot com
Powered by blists - more mailing lists