Security Hole?
Is your RSS reader secure?
This is a weblog post that contains an HTML script element. It tries to figure out what domain it resides in and if the domain is not “erik.eae.net” it means that it has access to the current domain and will be able to read data of that domain and post it to a malicious site. A specially dangerous scenario would be that the RSS feed is shown using the file: protocol because that would mean that any text file on the computer could be read.
August 12th, 2004 at 16:00
that’s pretty scary…. hadn’t reallly thought of that *blink*
least you can still simply unsubscribe from an RSS feed should you find that it’s doing something like that inside the pulled feeds… probably have to create a damn “Black List” of such feeds at some point in the future… sad, really.
damn spammers.
August 12th, 2004 at 16:43
Please confirm if i get this right; if the feed’s html contains a script then it exposes a security issue because it might retrieve local files through file:\ protocol and post to remote through XMLHTTP or simple form POST? Why not after parsing the feed we filter it, since it is a string at the end of the day(i.e. string:replace)? Today is my “questioning” day
August 14th, 2004 at 12:21
Yup, filtering the HTML would work but it is a bit tricky. There are tons of ways to inject code into a browser rendering engine these days.
August 14th, 2004 at 20:00
Do you believe filtering
August 14th, 2004 at 20:03
oh the comments section are tag sensitive. Correction to first line;
Do you believe filtering script and object tags wont be enough? onload handlers can also be taken into account. Just checking if there is any other evil way that we should be aware of.
August 15th, 2004 at 17:27
boombastic: If I remember correctly, there is purposefully no way for a script to POST an arbitary file of its own choice, specifically for that reason.
August 15th, 2004 at 19:44
tjf: that makes sense. Because file selector can do amazing things if it is the case. I never read or tried to play evil on these stuff, more like wtf should we be aware of if the application is running under IE or within HTA (or even on desktop through wininet). Perhaps someone can bring a spotlight on this.
August 17th, 2004 at 0:03
tjf: Well, if your RSS reader is using the file system and has scripting enabled a page can read any known file and send that data to some server on the internet. In Mozilla, using the file: uri scheme it can point to / (or c:\) and read the names of the files and folders and in this way find a specific file.