Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Feed2JS 1.7 Cross Site Scripting

🗓️ 08 May 2015 00:00:00Reported by Jing WangType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 40 Views

Feed2JS v1.7 XSS (Cross-site Scripting) Web Security Vulnerabilities in magpie_debug.php

Code
`*Feed2JS v1.7 XSS (Cross-site Scripting) Web Security Vulnerabilities*  
  
  
Exploit Title: Feed2JS v1.7 magpie_debug.php? &url parameter XSS Security  
Vulnerabilities  
Product: Feed2JS  
Vendor: feed2js.org  
Vulnerable Versions: v1.7  
Tested Version: v1.7  
Advisory Publication: May 09, 2015  
Latest Update: May 09, 2015  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference: *  
Impact CVSS Severity (version 2.0):  
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)  
Impact Subscore: 2.9  
Exploitability Subscore: 8.6  
Writer and Reporter: Jing Wang [School of Physical and Mathematical  
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]  
(@justqdjing)  
  
  
  
  
*Proposition Details:*  
  
  
*(1) Vendor & Product Description:*  
  
  
*Vendor:*  
feed2js.org  
  
  
*Product & Vulnerable Versions:*  
Feed2JS  
v1.7  
  
  
*Vendor URL & Download:*  
Feed2JS can be downloaded from here,  
https://feed2js.org/index.php?s=download  
  
  
*Source code:*  
http://www.gnu.org/licenses/gpl.html  
  
  
*Product Introduction Overview:*  
"What is "Feed to JavaScript? An RSS Feed is a dynamically generated  
summary (in XML format) of information or news published on other web  
sites- so when the published RSS changes, your web site will be  
automatically changed too. It is a rather simple technology that allows  
you, the humble web page designer, to have this content displayed in your  
own web page, without having to know a lick about XML! Think of it as a box  
you define on your web page that is able to update itself, whenever the  
source of the information changes, your web page does too, without you  
having to do a single thing to it. This Feed2JS web site (new and  
improved!) provides you a free service that can do all the hard work for  
you-- in 3 easy steps:  
Find the RSS source, the web address for the feed.  
Use our simple tool to build the JavaScript command that will display it  
Optionally style it up to look pretty.  
  
Please keep in mind that feeds are cached on our site for 60 minutes, so if  
you add content to your RSS feed, the updates will take at least an hour to  
appear in any other web site using Feed2JS to display that feed. To run  
these scripts, you need a web server capable of running PHP which is rather  
widely available (and free). You will need to FTP files to your server,  
perhaps change permissions, and make some basic edits to configure it for  
your system. I give you the code, getting it to work is on your shoulders.  
I will try to help, but cannot always promise answers."  
  
  
  
  
*(2) Vulnerability Details:*  
Feed2JS web application has a computer security bug problem. It can be  
exploited by stored XSS attacks. This may allow a remote attacker to create  
a specially crafted request that would execute arbitrary script code in a  
user's browser session within the trust relationship between their browser  
and the server.  
  
Several other Feed2JS products 0-day vulnerabilities have been found by  
some other bug hunter researchers before. Feed2JS has patched some of them.  
"Openwall software releases and other related files are also available from  
the Openwall file archive and its mirrors. You are encouraged to use the  
mirrors, but be sure to verify the signatures on software you download. The  
more experienced users and software developers may use our CVSweb server to  
browse through the source code for most pieces of Openwall software along  
with revision history information for each source file. We publish  
articles, make presentations, and offer professional services." Openwall  
has published suggestions, advisories, solutions details related to XSS  
vulnerabilities.  
  
  
*(2.1)* The first programming code flaw occurs at "&url" parameter in  
"magpie_debug.php?" page.  
  
  
  
  
  
*References:*  
http://www.tetraph.com/security/xss-vulnerability/feed2js-v1-7-xss/  
http://securityrelated.blogspot.com/2015/05/feed2js-v17-xss-cross-site-scripting.html  
http://www.inzeed.com/kaleidoscope/computer-web-security/feed2js-v1-7-xss/  
https://vulnerabilitypost.wordpress.com/2015/05/08/feed2js-v1-7-xss/  
http://whitehatpost.blog.163.com/blog/static/24223205420154810359682/  
https://progressive-comp.com/?l=full-disclosure&m=142907534026807&w=2  
https://www.bugscan.net/#!/x/21291  
http://bluereader.org/article/27452996  
http://lists.openwall.net/full-disclosure/2015/04/15/4  
  
  
  
  
--  
Jing Wang,  
Division of Mathematical Sciences (MAS),  
School of Physical and Mathematical Sciences (SPMS),  
Nanyang Technological University (NTU),  
Singapore.  
http://www.tetraph.com/wangjing/  
https://twitter.com/justqdjing  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 May 2015 00:00Current
feed2jscross-site scriptingvulnerability
40