feedsplitter considered harmful

Type securityvulns
Reporter Securityvulns
Modified 2006-08-31T00:00:00


I was looking through the feedsplitter.php script avaiable from http://chxo.com/software/feedsplitter/, version 2006-01-21 (revision 1.7 according to the RCS $Id$, but that looks out of date) today, and noticed a few problems. (Background: feedsplitter turns RSS feeds into HTML or javascript so you can easily embed them in non-dynamic sites.)

First, it has a "showsource" function, that discloses its source code to anyone on the Internet. That's probably OK if you haven't made any confidential modification, but certainly not something that much software has built in.

Next, it allows a "format" to be specified in the URL query string. This "format" is used to open an XML file named "$format.xml". $format is checked for "."s in the filename, but if there is a dot in position 0, the check fails and filenames like "../../../../../confidential/data" are passed through and opened. (The name does have .xml appended, though, so you can only read confidential XML files).

Next, this arbitrary XML file is eval()'d a number of times. If file uploads are allowed to a server running this script, anyone can execute arbitrary PHP code. That's a slight security problem, I think :)

Continuing, it appears that the fetched RSS feed from the untrusted Internet is also eval()'d a few times. I'm not sure if code execution can happen or not -- there's some weird "stripslashes(addslashes($data))" going on. I would think that's a NOP, but I'm a Perl Monger, not a PHP hacker, so I don't know what this is doing. Anyway, potentially a problem.

Finally, it appears that any malicious HTML in the RSS feed is passed through, allowing an RSS administator to steal cookies (XSS, etc.) from any site that incorporates the output of feedsplitter. It looks like the feed is being put through "addslashes", but I don't think that escapes HTML. I haven't tested this, though, so YMMV.

Anyway, I recommend that you avoid this script until the above issues have been resolved.

Regards, Jonathan Rockway