Security Hole? 8

Is your RSS reader secure?

This is a weblog post that contains an HTML script element. It tries to figure out what domain it resides in and if the domain is not “erik.eae.net” it means that it has access to the current domain and will be able to read data of that domain and post it to a malicious site. A specially dangerous scenario would be that the RSS feed is shown using the file: protocol because that would mean that any text file on the computer could be read.

  • http://www.forgetfoo.com/ foO

    that’s pretty scary…. hadn’t reallly thought of that *blink*

    least you can still simply unsubscribe from an RSS feed should you find that it’s doing something like that inside the pulled feeds… probably have to create a damn “Black List” of such feeds at some point in the future… sad, really.

    damn spammers.

  • boombastic

    Please confirm if i get this right; if the feed’s html contains a script then it exposes a security issue because it might retrieve local files through file:\ protocol and post to remote through XMLHTTP or simple form POST? Why not after parsing the feed we filter it, since it is a string at the end of the day(i.e. string:replace)? Today is my “questioning” day :)

  • http://erik.eae.net Erik Arvidsson

    Yup, filtering the HTML would work but it is a bit tricky. There are tons of ways to inject code into a browser rendering engine these days.

  • boombastic

    Do you believe filtering

  • boombastic

    oh the comments section are tag sensitive. Correction to first line;
    Do you believe filtering script and object tags wont be enough? onload handlers can also be taken into account. Just checking if there is any other evil way that we should be aware of.

  • http://tom.printf.net/ tjf

    boombastic: If I remember correctly, there is purposefully no way for a script to POST an arbitary file of its own choice, specifically for that reason.

  • boombastic

    tjf: that makes sense. Because file selector can do amazing things if it is the case. I never read or tried to play evil on these stuff, more like wtf should we be aware of if the application is running under IE or within HTA (or even on desktop through wininet). Perhaps someone can bring a spotlight on this.

  • http://erik.eae.net Erik Arvidsson

    tjf: Well, if your RSS reader is using the file system and has scripting enabled a page can read any known file and send that data to some server on the internet. In Mozilla, using the file: uri scheme it can point to / (or c:\) and read the names of the files and folders and in this way find a specific file.