RSS Injection in Sage part 2

November 08th, 2006 by dk

2 months ago, both pdp any myself released a vulnerability “Cross Context Scripting in Sage”. This issue was resolved in Sage release 1.3.7 (see: http://mozdev.org/bugs/show_bug.cgi?id=15101). I found a new vulnerability which affects the latest version, Sage 1.3.8. In addition to the XSS vulnerability, it should be noted (as in the previous vulnerability) that this issue occurs within the Local Browser Context.

Background:
A number of popular online RSS readers allow images to be embedded within Feeds. It has been known for some time now, that the amount of people subscribed to your feed can be determined by using the image src functionality. This is interesting from an anonymity point of view. I was curious to know just how well these applications would prevent and/or restrict the “img onload” features.

Ironically, Sage seems to handle this quite well. It removes any “onload” attribute within an IMG element. Sage also completely removes offending JavaScript code. However, it fails to remove the script tags when inserted within the IMG element. In addition to this, it will actually end the IMG element for us. For example:

<img src=”http://michaeldaw.org/images/jss.jpg” <script>alert(’blah’);</script> ></img>
becomes:
<img src=”http://michaeldaw.org/images/jss.jpg” > <script>alert(’blah’);</script> </img>
Notice the trailing > is removed and added before our JavaScript code.

A proof of concept feed can be found here.
This feed will open “/etc/passwd” for Linux users and “…./etc/hosts” for MS Windows users. Please note I have not tested the Windows feed.

12 Comments so far

  1. pdp @ November 8th, 2006

    that’s awesome work. :)

  2. Rick @ November 8th, 2006

    I tested the Windows feed, it works. But you must correct a minor error list below.
    Error
    missing ) after argument list
    Source
    req.send(null); alert(req.responseText } catch (e) {};

    And moreover, I also find Sage do nothing with the example code:
    alert(’blah’); >My Sage XSS Vulnerability.
    but the demo still works.

    I use Windows XP SP2 and Firefox 2.0 ,Sage 1.3.8

  3. pagvac @ November 9th, 2006

    Sage p0wn3d (again)! :-)

  4. kd @ November 9th, 2006

    I too cannot get the alert(’blah’) to work. Any ideas?

  5. david.kierznowski @ November 9th, 2006

    Rick, thanks for checking that. I have corrected the missing ). I have also included an alert(’blah’) into the Windows exploit.

  6. Mike Shaver @ November 11th, 2006

    Was this vulnerability reported to the Sage authors?

  7. david.kierznowski @ November 11th, 2006

    Mike, an email was sent to Peter Andrews - Project Lead, Developer.

  8. GNUCITIZEN » Web Pages from Hell 2 @ November 14th, 2006

    […] Update: dwk found another RSS XSS vuln on the latest version of Sage (1.3.8 at time of writing). Additionally, Rick also found another RSS XSS vuln on the latest version. […]

  9. Peter Andrews @ November 16th, 2006

    Thanks for bringing this to light David. Bug filed:

    http://mozdev.org/bugs/show_bug.cgi?id=15767

    A maintenance release will follow shortly.

  10. Peter Andrews @ November 17th, 2006

    Sage 1.3.9 has been released to address this and other issues:

    http://sage.mozdev.org/blog/archives/2006/11/sage_1_3_9_released.html

  11. Operation n » Firebug XSS Mayhem @ April 5th, 2007

    […] vulnerability in Firebug - we have seen previous vulnerabilities in Firefox plugins including the Sage RSS reader exploits myself and pdp exploited in the past. The awesome concept here was using Mozilla code to load executables files. […]

  12. naisioxerloro @ November 29th, 2007

    Hi.
    Good design, who make it?

Leave a reply

Recent

Sponsored links