2 months ago, both pdp any myself released a vulnerability “Cross Context Scripting in Sage”. This issue was resolved in Sage release 1.3.7 (see: http://mozdev.org/bugs/show_bug.cgi?id=15101). I found a new vulnerability which affects the latest version, Sage 1.3.8. In addition to the XSS vulnerability, it should be noted (as in the previous vulnerability) that this issue occurs within the Local Browser Context.

Background:

A number of popular online RSS readers allow images to be embedded within Feeds. It has been known for some time now, that the amount of people subscribed to your feed can be determined by using the image src functionality. This is interesting from an anonymity point of view. I was curious to know just how well these applications would prevent and/or restrict the “img onload” features.

Ironically, Sage seems to handle this quite well. It removes any “onload” attribute within an IMG element. Sage also completely removes offending JavaScript code. However, it fails to remove the script tags when inserted within the IMG element. In addition to this, it will actually end the IMG element for us. For example:

<img src=”http://michaeldaw.org/images/jss.jpg” <script>alert(’blah’);</script> ></img>
becomes:
<img src=”http://michaeldaw.org/images/jss.jpg” > <script>alert(’blah’);</script> </img>
Notice the trailing > is removed and added before our JavaScript code.
This feed will open “/etc/passwd” for Linux users and “…./etc/hosts” for MS Windows users. Please note I have not tested the Windows feed.