AOH :: HP Unsorted M :: VA2186.HTM

MagpieRSS XSS 0day



MagpieRSS XSS 0day
MagpieRSS XSS 0day



Hello,=0D
=0D
I have found a Cross Site Scripting vulnerability in MagpieRSS, an RSS parser written in PHP, basically, this piece of software enables users to add their own RSS feeds to be parsed, so they can keep up to date with their favourite feeds, as well as the pre-defined ones.=0D
=0D
I crafted my own RSS feed, which contains XSS inside the CDATA.=0D
=0D
Here is the XML file I used: http://www.elites0ft.com/poc.xml=0D 
=0D
If for example, I ask a user to subscribe to my feed, after disguising it as a real feed, I then go and update it with malicious content, the RSS parser will then parse the updated content and the user will end up loading an Iframe with a cookie stealer inside.=0D
=0D
The reason this happens is because the CDATA is not getting escaped, it is a simple fix: htmlentities() around the parsed CDATA.=0D
=0D
This is a potentially harmful exploit if you can convince users to add your feed.=0D
=0D
Thanks for reading,=0D
system_meltdown.=0D
[Elites0ft.com]

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.