lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu Feb 23 14:02:03 2006
From: cedric.blancher at hotmail.com (Cedric Blancher)
Subject: Google Reader "preview" and "lens"
	scriptimproper feed val

hey, nice. Thanks ! :)

Good that you have brought up this issue. With the increase in popularity 
for RSS, it is going to be the target for future bot and worm attacks. RSS 
feed hijacking will soon become commonplace for worm to easily enter user 
systems through RSS feeds or news aggregators..

Worst case scenarios in today's RSS is someone post's a link to a malicious 
website in their RSS feed. This website then takes advantage of browser 
flaws to infect the user system.


nice work

Cedric

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk 
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Debasis 
Mohanty
Sent: Wednesday, February 22, 2006 11:30 PM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Google Reader "preview" and "lens" scriptimproper 
feed validation

Google Reader "preview" and "lens" script improper feed validation 
===================================================================

I. DESCRIPTION

Google Reader (http://www.google.com/reader/) helps organise the contents of 
those rss or atom feeds for which the user is interested in or subscribed 
to. The user instead of continuously checking his/her favorite sites or 
discussion groups for updates, (s)he can let Google Reader do it for them.
>From news sites to your friends' blogs, Google Reader helps stay up-to-date
with all the online information that matters most to the user.


II. VULNERABILITY DETAILS

Google reader is supposed to display only those contents which the user has 
subscribed to however two vulnerabilities has been identified which may 
allow an attacker to entice it's victim (using google reader service) to 
view unwanted web contents carrying malicious payloads.


a. Google reader "preview" script improper feed validation (without user
authentication)
----------------------------------------------------------------------------
------------
Google feed reader "preview" script: The script
(http://www.google.com/reader/preview/*/feed/) is normally used for 
displaying the feed contents within the reader.

For example, the following request will display the rss content of the link
http://www.microsoft.com/athome/security/rss/rssfeed.aspx:

http://www.google.com/reader/preview/*/feed/http://www.microsoft.com/athome/
security/rss/rssfeed.aspx

Note: '*' in the above link can be replace with any word of your choice 
otherwise it can be left as it is.

This 'preview' script is only available to authenticated user but if a 
direct link is provided it doens't ask for user authentication. It can be 
very usefull for an attacker to mount an attack on its victim by directing 
them to view the content of malicious sites (carrying evil payloads).


b. Google reader "lens" script improper feed validation (with user
authentication)
----------------------------------------------------------------------------
------
Google feed reader "lens" script: The script
(http://www.google.com/reader/lens/feed/) is normally used for displaying 
contents of only those feeds to which an authenticated user has subscribed 
to.

However, it is possible to pass any rss / atom feed to the script as 
parameter to which the user has not subscribed but the un-subscribed feed 
contents can still be loaded within the user reader page.

For example, the following request will display the rss content of the link
http://www.securityfocus.com/rss/news.xml:
http://www.google.com/reader/lens/feed/http://www.securityfocus.com/rss/news
.xml

This 'lens' script is only available to authenticated user and can be 
usefull for an attacker to mount an attack on its victim by directing them 
to view the content of malicious sites (carrying evil payloads) even though 
the user is not subscribed to.


III. VENDOR
Google.com



IV. HISTORY
30th Jan, 2006 -	Bug originally discovered
2nd Feb, 2006 -	Vendor Notified
...
...
No vendor response
...
...
22nd Feb, 2006 -	Vendor Notified again
22nd Feb, 2006 -	Public Disclosre


IV. CREDITS
Debasis Mohanty
www.hackingspirits.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ