Re: feedsplitter considered harmful
Anyone look at the posted fix to this vulnerability yet? From the
http://chxo.com/software/feedsplitter/ website:
Sep 19, 2006:
Mandatory Upgrade: Feedsplitter 2006-09-19
Mandatory upgrade. This fixes the issues articulated in this post. I'm
sorry this took so long to fix, the author was unable to contact me (or didn't
try), and I don't follow bugtraq closely. Please click through for details and
new code.
This release fixes a damned embarassing directory traversal exploit,
whereby an attacker could potentially read any .xml file readable by the
webserver user, if they know the exact path.
This release also fixes a potential cross-site scripting exploit.
This release also removes a situation where an attacker could potentially
inject php code into the RSS feed. I wasn't able to get this exploit to work,
but the potential had to be addressed. This release does not eval() any part of
the feed, ever.
Finally, I added a built in test feed to prove that php and xss attacks
cannot be embedded in feeds. I heartily welcome any additional tests, please
let me know.