<<< Date Index >>>     <<< Thread Index >>>

feedsplitter considered harmful



I was looking through the feedsplitter.php script avaiable from 
http://chxo.com/software/feedsplitter/, version 2006-01-21 (revision 1.7 
according to the RCS $Id$, but that looks out of date) today, and noticed a few 
problems.  (Background: feedsplitter turns RSS feeds into HTML or javascript so 
you can easily embed them in non-dynamic sites.)

First, it has a "showsource" function, that discloses its source code to anyone 
on the Internet.  That's probably OK if you haven't made any confidential 
modification, but certainly not something that much software has built in.

Next, it allows a "format" to be specified in the URL query string.  This 
"format" is used to open an XML file named "$format.xml".  $format is checked 
for "."s in the filename, but if there is a dot in position 0, the check fails 
and filenames like "../../../../../confidential/data" are passed through and 
opened. (The name does have .xml appended, though, so you can only read 
confidential XML files).  

Next, this arbitrary XML file is eval()'d a number of times.  If file uploads 
are allowed to a server running this script, anyone can execute arbitrary PHP 
code.  That's a slight security problem, I think :)

Continuing, it appears that the fetched RSS feed from the untrusted Internet is 
also eval()'d a few times.  I'm not sure if code execution can happen or not -- 
there's some weird "stripslashes(addslashes($data))" going on.  I would think 
that's a NOP, but I'm a Perl Monger, not a PHP hacker, so I don't know what 
this is doing.  Anyway, potentially a problem.

Finally, it appears that any malicious HTML in the RSS feed is passed through, 
allowing an RSS administator to steal cookies (XSS, etc.) from any site that 
incorporates the output of feedsplitter.  It looks like the feed is being put 
through "addslashes", but I don't think that escapes HTML.  I haven't tested 
this, though, so YMMV.

Anyway, I recommend that you avoid this script until the above issues have been 
resolved.

Regards,
Jonathan Rockway