<<< Date Index >>>     <<< Thread Index >>>

Re: feedsplitter considered harmful



Anyone look at the posted fix to this vulnerability yet?  From the 
http://chxo.com/software/feedsplitter/ website:

Sep 19, 2006:
    Mandatory Upgrade: Feedsplitter 2006-09-19
    Mandatory upgrade. This fixes the issues articulated in this post. I'm 
sorry this took so long to fix, the author was unable to contact me (or didn't 
try), and I don't follow bugtraq closely. Please click through for details and 
new code.
    This release fixes a damned embarassing directory traversal exploit, 
whereby an attacker could potentially read any .xml file readable by the 
webserver user, if they know the exact path.
    This release also fixes a potential cross-site scripting exploit.
    This release also removes a situation where an attacker could potentially 
inject php code into the RSS feed. I wasn't able to get this exploit to work, 
but the potential had to be addressed. This release does not eval() any part of 
the feed, ever.
   Finally, I added a built in test feed to prove that php and xss attacks 
cannot be embedded in feeds. I heartily welcome any additional tests, please 
let me know.