Full Disclosure mailing list archives
Re: Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 16 Sep 2009 00:07:08 -0700
Back in 2006, there was interesting research done by James Holderness[1] and James M. Snell[2] which uncovered a variety of XSS issues in various online feed aggregator services (e.g. Feed Demon). The vulnerability arises from the fact that it is not expected of RSS readers to render scripted content. I want to extend that research by doing threat analysis on inbuilt feed readers offered in most modern browsers. I have found Google Chrome (v2,3) and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8), Firefox 3.5 and Safari 4 are resilient to the exploits mentioned below.
To be precise, Chrome does *not* have a built-in feed reader, and instead, attempts to render the payload as a generic XML/HTML document - which causes the behavior observed. The behavior of Chrome, MSIE6, and Opera is actually covered for a longer while in Browser Security Handbook: http://code.google.com/p/browsersec/wiki/Part1#Other_built-in_document_formats More specifically, this is outlined in the "Is generic XML document support present?", "Is RSS feed support present?", "Is ATOM feed support present?", "Does JavaScript execute within feeds?", and "Are javascript: or data: URLs permitted in feeds?" tests. There are also some interesting details related to SVG and other XML formats along these same lines. Cheers, /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more Inferno (Sep 15)
- Re: Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more Michal Zalewski (Sep 16)