Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200613333
HistoryDec 18, 2006 - 12:00 a.m.

RSS reading potential security issue-vulnerability warning-the black bar safety net

2006-12-1800:00:00
佚名
www.myhack58.com
15
JSON

2 days before the Read? RSS reading potential security issues | unfinished - Incomplete, the talk is mixed in the Rich Text of the RSS in js in RSS reading client implementation resulting in a potential vulnerability issue. Happened to me last weekend when also encountered a similar problem: but more seriously in the RSS aggregation on the server side. My home is with require_once(‘lilina.html’) the way contains a lilina. php to generate the static pages generated by a combination of, the source code is as follows. Which also contains a cross-Server PHP script execution security vulnerability. If I Subscribe to the RSS, there are hacks which will be mixed with <? php >such a code, this one included: no can be directly in my server run directly on the php script? This potential vulnerability is found or from the MSN Search blog post in the FEED leads.

On Sunday the problem is this: on Sunday morning I suddenly found own blog the Middle the require of the portion cannot be displayed, investigated a morning the original php Version, a default will display_error closed, the program encountering the error will only stop the execution, the need in the need to display the error message in the php page set: ini_set(‘display_error’, true); it will normally display an error. 我 另外 做 了 一 个 test.php display a bit: find is a line addition to the php parse error. Positioning in the past only to see turned out to be MSN Search blog an article on a <? Mark, is the require_once, so the back of the html code is treated as php code: when a php script begins execution, and of course the wrong lot. Beginning to think the first<? Such a marking ban by setting php. ini the short_open_tag = Off, but this is a temporary solution, but also leads to more php code leak. The correct method is to include a static file: using fopen and then line by line in the buffer print out, so that it does not perform a remote file possible php code, don’t know PHP has not included other files, but not execute the code in a simple function. The code is as follows:

$filename = “lilina.html”;$dataFile = fopen( $filename, “r” );if ( $dataFile ) { while (! feof($dataFile)) { $buffer = fgets($dataFile, 4 0 9 6); echo $buffer; } fclose($dataFile);} else { die( “fopen failed for $filename” );}

PostScript: thank Zheng Kai: I have use file_get_contents(‘lilina.html’);.

As Advertising resources always follow People’s attention and shift the same, a variety of Spam and malicious code is also the same in the following network the user’s attention changes. When the RSS reader is gradually starting to become popular, the malicious code is also eyeing the RSS this new way of reading reading tool.

Last week in GreatNews User Forum, one user expressed the hope that GreatNews increase in malicious code filtering function, because he subscribed to the RSS feed on the subject of malicious nuisance.

> I Subscribe to a RSS the link,always good,but today to view this channel,somehow jump to the hxxp: //mtv.5522.com/music/index.htm this garbage site,don’t know yet is which one to recklessly SPAM the SB application is a Blog,RSS included,the original of this class are sent a bunch of text links,this to is well,upgrade,point no point on the direct to go out,rely on!
>
> From Temp where to find the source file,analyze it,use of the method is to embed a script<script src="http://flash.5522.com/ads/dvd.js”&gt;&lt;/script&gt;script and then jump to the SB website. Don’t know the GN can’t add a script shield functionality?

Although now the Feed of the malicious code also there is no flooding, but already there is a malicious site and found this block has the potential of new areas, the use of the RSS embedded in the Javascript and activeX to achieve automatically jump or other feature, and even implant a virus or Trojan, in the RSS reader to add malicious code filtering function has become the RSS reader of the new requirements.

By subscribing to a dedicated RSS reader security detection of the Feed of the subscription content contains bad code, please carefully subscription, but it will not be on your computer to cause significant adverse effects, can be found in quite a few client RSS reader and there is no filter in the bad code, and seen the RSS in the underlying security also did not cause everyone’s attention, but FeedDemon and GreatNews(build 3 3 9)are available through safety testing.

Online RSS Reader the situation is slightly better in my testing of Rojo And Bloglines, the Gougou and the Boyue four external line RSS reader, only Boyue has prompted the js is executed, there are security issues, while the remaining three the reader will not be performed where the embedded js. But on the other hand, where only the bloglines content display relatively normal, the display shows 1 0 article, while Rojo did not display any content, Gougou/Boyue only display one article, and the RSS actually contains the 1 2 Article. Visible although major online RSS readers limit malicious code execution, but may not be specifically for RSS built-in malicious code filter, it is displayed the filtering effect of the presence of problems.

Originally pure, easy, no by blinking ads and annoying plug-ins affect RSS reading, not should like the page as well as become malicious websites wreak havoc on the place, whether it is online or the client’s RSS reader should be paying attention to this potential security problem, do not let ordinary users unknowingly and become malicious website captive.

JSON