Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

feedsplitter considered harmful
From: jon () jrock us
Date: 30 Aug 2006 20:09:27 -0000
I was looking through the feedsplitter.php script avaiable from http://chxo.com/software/feedsplitter/, version 
2006-01-21 (revision 1.7 according to the RCS $Id$, but that looks out of date) today, and noticed a few problems.  
(Background: feedsplitter turns RSS feeds into HTML or javascript so you can easily embed them in non-dynamic sites.)

First, it has a "showsource" function, that discloses its source code to anyone on the Internet.  That's probably OK if 
you haven't made any confidential modification, but certainly not something that much software has built in.

Next, it allows a "format" to be specified in the URL query string.  This "format" is used to open an XML file named 
"$format.xml".  $format is checked for "."s in the filename, but if there is a dot in position 0, the check fails and 
filenames like "../../../../../confidential/data" are passed through and opened. (The name does have .xml appended, 
though, so you can only read confidential XML files).  

Next, this arbitrary XML file is eval()'d a number of times.  If file uploads are allowed to a server running this 
script, anyone can execute arbitrary PHP code.  That's a slight security problem, I think :)

Continuing, it appears that the fetched RSS feed from the untrusted Internet is also eval()'d a few times.  I'm not 
sure if code execution can happen or not -- there's some weird "stripslashes(addslashes($data))" going on.  I would 
think that's a NOP, but I'm a Perl Monger, not a PHP hacker, so I don't know what this is doing.  Anyway, potentially a 
problem.

Finally, it appears that any malicious HTML in the RSS feed is passed through, allowing an RSS administator to steal 
cookies (XSS, etc.) from any site that incorporates the output of feedsplitter.  It looks like the feed is being put 
through "addslashes", but I don't think that escapes HTML.  I haven't tested this, though, so YMMV.

Anyway, I recommend that you avoid this script until the above issues have been resolved.

Regards,
Jonathan Rockway

  By Date           By Thread  

Current thread:
  • feedsplitter considered harmful jon (Aug 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]