lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20081228225056.3869.qmail@securityfocus.com>
Date: 28 Dec 2008 22:50:56 -0000
From: admin@...tes0ft.com
To: bugtraq@...urityfocus.com
Subject: MagpieRSS XSS 0day

Hello,

I have found a Cross Site Scripting vulnerability in MagpieRSS, an RSS parser written in PHP, basically, this piece of software enables users to add their own RSS feeds to be parsed, so they can keep up to date with their favourite feeds, as well as the pre-defined ones.

I crafted my own RSS feed, which contains XSS inside the CDATA.

Here is the XML file I used: http://www.elites0ft.com/poc.xml

If for example, I ask a user to subscribe to my feed, after disguising it as a real feed, I then go and update it with malicious content, the RSS parser will then parse the updated content and the user will end up loading an Iframe with a cookie stealer inside.

The reason this happens is because the CDATA is not getting escaped, it is a simple fix: htmlentities() around the parsed CDATA.

This is a potentially harmful exploit if you can convince users to add your feed.

Thanks for reading,
system_meltdown.
[Elites0ft.com]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ