Re: Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more

[Michal Zalewski <lcamtuf () coredump cx>]

> Back in 2006, there was interesting research done by James Holderness[1] and
> James M. Snell[2] which uncovered a variety of XSS issues in various online
> feed aggregator services (e.g. Feed Demon). The vulnerability arises from
> the fact that it is not expected of RSS readers to render scripted content.
> I want to extend that research by doing threat analysis on inbuilt feed
> readers offered in most modern browsers. I have found Google Chrome (v2,3)
> and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8), Firefox
> 3.5 and Safari 4 are resilient to the exploits mentioned below.

To be precise, Chrome does *not* have a built-in feed reader, and
instead, attempts to render the payload as a generic XML/HTML document
- which causes the behavior observed. The behavior of Chrome, MSIE6,
and Opera is actually covered for a longer while in Browser Security
Handbook:

http://code.google.com/p/browsersec/wiki/Part1#Other_built-in_document_formats

More specifically, this is outlined in the "Is generic XML document
support present?", "Is RSS feed support present?", "Is ATOM feed
support present?", "Does JavaScript execute within feeds?", and "Are
javascript: or data: URLs permitted in feeds?" tests.

There are also some interesting details related to SVG and other XML
formats along these same lines.

Cheers,
/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/