lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu Oct 27 15:15:00 2005
From: research at sec-consult.com (SEC Consult Research)
Subject: SEC-Consult SA 20051025-0 :: Snoopy Remote 
	Code Execution Vulnerability

On Thu, October 27, 2005 10:12 am, Florian Weimer said:
> Have you considered in your analysis that malicious servers might
> return HTTP redirects which contain suitable URLs?  This requires that
> the offsiteok member is set to true, though, because in the version I
> looked at, only http:// URLs are considered site-local.

Yes, I can confirm this. While I have not thought of this possibility, it
seems to boost the risk coming from the vulnerability.

I found the flaw during a review of Wordpress which uses MagpieRSS which
in turn uses Snoopy. As MagpieRSS is widly used, the concequence is that
any RSS feed-provider can replace the feed with a small redirect script,
exploiting the flaw with a crafted redirect https URL. Doing this with a
highly frequented RSS feed might result in many many servers being
simultaniously compromized. I might add that the offsiteok member defaults
to true and MagpieRSS does not seem to change that default value.

A notice to MagpieRSS has already been sent.

Daniel



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com

EOF Daniel Fabian / @2005
d.fabian at sec-consult dot com



Powered by blists - more mailing lists