MagpieRSS XSS 0day

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MagpieRSS XSS 0day
From: admin@xxxxxxxxxxxxx
Date: 28 Dec 2008 22:50:56 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello,

I have found a Cross Site Scripting vulnerability in MagpieRSS, an RSS parser 
written in PHP, basically, this piece of software enables users to add their 
own RSS feeds to be parsed, so they can keep up to date with their favourite 
feeds, as well as the pre-defined ones.

I crafted my own RSS feed, which contains XSS inside the CDATA.

Here is the XML file I used: http://www.elites0ft.com/poc.xml

If for example, I ask a user to subscribe to my feed, after disguising it as a 
real feed, I then go and update it with malicious content, the RSS parser will 
then parse the updated content and the user will end up loading an Iframe with 
a cookie stealer inside.

The reason this happens is because the CDATA is not getting escaped, it is a 
simple fix: htmlentities() around the parsed CDATA.

This is a potentially harmful exploit if you can convince users to add your 
feed.

Thanks for reading,
system_meltdown.
[Elites0ft.com]

Follow-Ups:
- Re: MagpieRSS XSS 0day
  - From: Antone Roundy

Prev by Date: Mavi Emlak Sql Injection
Next by Date: Re: Re: Google Chrome Browser (ChromeHTML://) remote parameter injection POC
Previous by thread: Mavi Emlak Sql Injection
Next by thread: Re: MagpieRSS XSS 0day
Index(es):
- Date
- Thread