RE: feedreader3 has XSS vulnerability

To: "'Guy Mizrahi'" <guy@xxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: feedreader3 has XSS vulnerability
From: "avivra" <avivra@xxxxxxxxx>
Date: Sun, 30 Sep 2007 15:26:44 +0200
Cc: <toomas@xxxxxxxxxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=P34S+FkHUwWhBX5L0BIDd6AWvYeUbhs1NNNg2VZbSsc=; b=nZwgAOFtKPMtNVrED7wzS83EoPgd+t1m4AGSlrjHEKXiz5Q+4e0tv++nKdNdGSpjwNHPA5dCAx4qe0nJOiLlqPV0HijkZVND1w3G70WPg078h0Pxwxt5jOyaI7/z50q/JuEc2q41hGHcDZLBv6wPSNe2LkkMyaxJugDmrlJ/WMM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=hfrxFgscfpdegO65xuwxOgP5Wt9yqd8ucZp2qg170B1iPluxAgHBIXzGnfeoYRqO3VyHcQqed49XabWAoUdQOFydJP/OcZfNVGYInuqY6w/uBx5uv/x+W2x0y66q/mI7quCIOIE6d/bo2GXl5AdOL10EDKZN95iMvqG8KBq1GRo=
In-reply-to: <2E45EC57058C47CF9CF0D5EBBA1E3F7F@SRV>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <2E45EC57058C47CF9CF0D5EBBA1E3F7F@SRV>
Thread-index: AcgB8S1eDPa8tqPESPO1dL9KwljdRABcfK1Q

Hi,

This is a cross-zone scripting vulnerability.
FeedReader uses the IE browser control to render HTML.
The RSS reader converts the RSS item data to a formatted HTML file and
caches it locally. 
When the user clicks on the RSS item, the RSS reader displays the local
cached file, and any script in that file (or external references) will run
in Local Zone.
Therefore, an attacker can create/manipulate an RSS feed that will execute
arbitrary code on the user's machine.

Btw, according to Bugtrag (http://www.securityfocus.com/bid/25849/exploit)
an attacker must convince the victim into subscribing a malicious RSS feed.
As I've already discussed this in my blog post
(http://aviv.raffon.net/2007/08/16/VistaGadgetsGoneWild.aspx) regarding the
Windows Vista's RSS gadget, this claim is not true. In today's Web2.0 era,
if a remote code execution vulnerability exists in RSS readers, it is very
easy to create an RSS based worm.

--Aviv.

-----Original Message-----
From: Guy Mizrahi [mailto:guy@xxxxxxxxxxxxxx] 
Sent: Friday, September 28, 2007 3:02 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: feedreader3 has XSS vulnerability

Hello,

I have found that feedreader3 has XSS vulnerability in its internal browser.
When I post a script into wordpress( like <script>alert("XSS")</script>, the

RSS feed in the internal browser is vulnerable and show an alert box.
POC movie here:
http://www.hacking.org.il/demos/feedreader3.wmv

Guy Mizrahi (ZuLL)
Hebrew blog: http://www.hacking.org.il

References:
- feedreader3 has XSS vulnerability
  - From: Guy Mizrahi

Prev by Date: Affiliate Network Pro Multiple Input Validation and Local file inclusion
Next by Date: ASP Product catalog SQL injection vulnerability
Previous by thread: feedreader3 has XSS vulnerability
Next by thread: [SECURITY] [DSA 1378-2] New Linux 2.6.18 packages fix several vulnerabilities
Index(es):
- Date
- Thread