Re: [Full-disclosure] feedreader3 has XSS vulnerability

From: "avivra" <avivra@xxxxxxxxx>
Date: Sun, 30 Sep 2007 15:26:44 +0200

Hi,

This is a cross-zone scripting vulnerability.
FeedReader uses the IE browser control to render HTML.
The RSS reader converts the RSS item data to a formatted HTML file and
caches it locally.
When the user clicks on the RSS item, the RSS reader displays the local
cached file, and any script in that file (or external references) will run
in Local Zone.
Therefore, an attacker can create/manipulate an RSS feed that will execute
arbitrary code on the user's machine.

Btw, according to Bugtrag (http://www.securityfocus.com/bid/25849/exploit)
an attacker must convince the victim into subscribing a malicious RSS feed.
As I've already discussed this in my blog post
(http://aviv.raffon.net/2007/08/16/VistaGadgetsGoneWild.aspx) regarding the
Windows Vista's RSS gadget, this claim is not true. In today's Web2.0 era,
if a remote code execution vulnerability exists in RSS readers, it is very
easy to create an RSS based worm.

--Aviv.

-----Original Message-----
From: Guy Mizrahi [mailto:guy@xxxxxxxxxxxxxx]
Sent: Friday, September 28, 2007 3:02 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: feedreader3 has XSS vulnerability

Hello,

I have found that feedreader3 has XSS vulnerability in its internal browser.
When I post a script into wordpress( like <script>alert("XSS")</script>, the

RSS feed in the internal browser is vulnerable and show an alert box.
POC movie here:
http://www.hacking.org.il/demos/feedreader3.wmv

Guy Mizrahi (ZuLL)
Hebrew blog: http://www.hacking.org.il

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] gadi evron
Next by Date: Re: [Full-disclosure] Trolls food
Previous by thread: [Full-disclosure] gadi evron
Next by thread: [Full-disclosure] SecNiche Bogus: Attempt to settle noise and trauma.
Index(es):
- Date
- Thread

Relevant Pages

RE: feedreader3 has XSS vulnerability
... This is a cross-zone scripting vulnerability. ... The RSS reader converts the RSS item data to a formatted HTML file and ... When the user clicks on the RSS item, the RSS reader displays the local ... I have found that feedreader3 has XSS vulnerability in its internal browser. ...
(Bugtraq)
Re: Graham Sanders brewing podcasts and the HomeBrewers team
... It is the RSS feed for the pod casts. ... can put that in an rss reader and when new episodes come out your rss ... on top of new content without having to visit the site in a browser. ... If you haven't yet been treated to the magic of RSS feeds then it ...
(rec.crafts.brewing)
Re: Safaris forced RSS reader, possible to override?
... RSS client and want to be able to have hyperlinks in ... iCab is my default RSS reader, ... when I click on those URLS in Safari they ... browser, other than your default one. ...
(comp.sys.mac.apps)
Re: In case you missed it earlier
... I am using Rocketinfo RSS reader which is an html based reader (I can't ... download programs at work) and it is fine. ... You can use an RSS news reader to pull updates to your desktop in real ...
(rec.gambling.poker)
Re: How to use RSS Feeds?
... Try using a more commonplace RSS reader rather than Live Bookmakers. ... implement _lots_ of RSS feeds, including feeds on each small category. ...
(comp.text.xml)