Full Disclosure mailing list archives
Re: Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more
From: "Inferno" <inferno () securethoughts com>
Date: Wed, 16 Sep 2009 01:23:46 -0700
Hi Michal, Thanks for clarifying the feed reader functionality in Chrome and link to the browser security handbook. The browser security handbook is a great resource, sorry, I missed reading that section on RSS. A question I had was it mentions Opera browser does not render javascript inside feeds, whereas I found that it does. Also, for Chrome, now since it has removed script rendering part completely, I think the handbook might need a slight update for both Opera and Chrome in next version revision. Thanks for your efforts in developing such a useful resource for the community. Thanks and Regards, Inferno Security Researcher SecureThoughts.com -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Michal Zalewski Sent: Wednesday, September 16, 2009 12:07 AM To: Inferno Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more
Back in 2006, there was interesting research done by James Holderness[1]
and
James M. Snell[2] which uncovered a variety of XSS issues in various
online
feed aggregator services (e.g. Feed Demon). The vulnerability arises from the fact that it is not expected of RSS readers to render scripted
content.
I want to extend that research by doing threat analysis on inbuilt feed readers offered in most modern browsers. I have found Google Chrome (v2,3) and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8),
Firefox
3.5 and Safari 4 are resilient to the exploits mentioned below.
To be precise, Chrome does *not* have a built-in feed reader, and instead, attempts to render the payload as a generic XML/HTML document - which causes the behavior observed. The behavior of Chrome, MSIE6, and Opera is actually covered for a longer while in Browser Security Handbook: http://code.google.com/p/browsersec/wiki/Part1#Other_built-in_document_forma ts More specifically, this is outlined in the "Is generic XML document support present?", "Is RSS feed support present?", "Is ATOM feed support present?", "Does JavaScript execute within feeds?", and "Are javascript: or data: URLs permitted in feeds?" tests. There are also some interesting details related to SVG and other XML formats along these same lines. Cheers, /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more Inferno (Sep 15)
- Re: Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more Michal Zalewski (Sep 16)
- Re: Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more Inferno (Sep 16)
- Re: Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more Michal Zalewski (Sep 16)