Full Disclosure mailing list archives
RE: Google Reader "preview" and "lens" scriptimproper feed val
From: "Cedric Blancher" <cedric.blancher () hotmail com>
Date: Thu, 23 Feb 2006 07:01:42 -0700
hey, nice. Thanks ! :)Good that you have brought up this issue. With the increase in popularity for RSS, it is going to be the target for future bot and worm attacks. RSS feed hijacking will soon become commonplace for worm to easily enter user systems through RSS feeds or news aggregators..
Worst case scenarios in today's RSS is someone post's a link to a malicious website in their RSS feed. This website then takes advantage of browser flaws to infect the user system.
nice work Cedric -----Original Message-----From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Debasis Mohanty
Sent: Wednesday, February 22, 2006 11:30 PM To: full-disclosure () lists grok org ukSubject: [Full-disclosure] Google Reader "preview" and "lens" scriptimproper feed validation
Google Reader "preview" and "lens" script improper feed validation ===================================================================
I. DESCRIPTIONGoogle Reader (http://www.google.com/reader/) helps organise the contents of those rss or atom feeds for which the user is interested in or subscribed to. The user instead of continuously checking his/her favorite sites or discussion groups for updates, (s)he can let Google Reader do it for them.
From news sites to your friends' blogs, Google Reader helps stay up-to-date
with all the online information that matters most to the user. II. VULNERABILITY DETAILSGoogle reader is supposed to display only those contents which the user has subscribed to however two vulnerabilities has been identified which may allow an attacker to entice it's victim (using google reader service) to view unwanted web contents carrying malicious payloads.
a. Google reader "preview" script improper feed validation (without user authentication) ---------------------------------------------------------------------------- ------------ Google feed reader "preview" script: The script(http://www.google.com/reader/preview/*/feed/) is normally used for displaying the feed contents within the reader.
For example, the following request will display the rss content of the link http://www.microsoft.com/athome/security/rss/rssfeed.aspx: http://www.google.com/reader/preview/*/feed/http://www.microsoft.com/athome/ security/rss/rssfeed.aspxNote: '*' in the above link can be replace with any word of your choice otherwise it can be left as it is.
This 'preview' script is only available to authenticated user but if a direct link is provided it doens't ask for user authentication. It can be very usefull for an attacker to mount an attack on its victim by directing them to view the content of malicious sites (carrying evil payloads).
b. Google reader "lens" script improper feed validation (with user authentication) ---------------------------------------------------------------------------- ------ Google feed reader "lens" script: The script(http://www.google.com/reader/lens/feed/) is normally used for displaying contents of only those feeds to which an authenticated user has subscribed to.
However, it is possible to pass any rss / atom feed to the script as parameter to which the user has not subscribed but the un-subscribed feed contents can still be loaded within the user reader page.
For example, the following request will display the rss content of the link http://www.securityfocus.com/rss/news.xml: http://www.google.com/reader/lens/feed/http://www.securityfocus.com/rss/news .xmlThis 'lens' script is only available to authenticated user and can be usefull for an attacker to mount an attack on its victim by directing them to view the content of malicious sites (carrying evil payloads) even though the user is not subscribed to.
III. VENDOR Google.com IV. HISTORY 30th Jan, 2006 - Bug originally discovered 2nd Feb, 2006 - Vendor Notified ... ... No vendor response ... ... 22nd Feb, 2006 - Vendor Notified again 22nd Feb, 2006 - Public Disclosre IV. CREDITS Debasis Mohanty www.hackingspirits.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _________________________________________________________________Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Google Reader "preview" and "lens" scriptimproper feed val Cedric Blancher (Feb 23)