Comments on: RSS Injection in Sage part 2

By: Operation n » Malware Security Testing

Operation n » Malware Security Testing — Thu, 08 Jan 2009 23:01:45 +0000

[...] have recently found or reported serious malware potential in Quicktime, MP3, PDF, Flash and RSS to name a [...]

By: naisioxerloro

naisioxerloro — Thu, 29 Nov 2007 00:13:40 +0000

Hi.
Good design, who make it?

By: Operation n » Firebug XSS Mayhem

Operation n » Firebug XSS Mayhem — Thu, 05 Apr 2007 09:03:18 +0000

[...] vulnerability in Firebug – we have seen previous vulnerabilities in Firefox plugins including the Sage RSS reader exploits myself and pdp exploited in the past. The awesome concept here was using Mozilla code to load executables files. [...]

By: Peter Andrews

Peter Andrews — Sat, 18 Nov 2006 04:53:57 +0000

Sage 1.3.9 has been released to address this and other issues:

http://sage.mozdev.org/blog/archives/2006/11/sage_1_3_9_released.html

By: Peter Andrews

Peter Andrews — Fri, 17 Nov 2006 03:06:34 +0000

Thanks for bringing this to light David. Bug filed:

http://mozdev.org/bugs/show_bug.cgi?id=15767

A maintenance release will follow shortly.

By: GNUCITIZEN » Web Pages from Hell 2

GNUCITIZEN » Web Pages from Hell 2 — Wed, 15 Nov 2006 02:43:28 +0000

[...] Update: dwk found another RSS XSS vuln on the latest version of Sage (1.3.8 at time of writing). Additionally, Rick also found another RSS XSS vuln on the latest version. [...]

By: david.kierznowski

david.kierznowski — Sat, 11 Nov 2006 18:24:59 +0000

Mike, an email was sent to Peter Andrews – Project Lead, Developer.

By: Mike Shaver

Mike Shaver — Sat, 11 Nov 2006 18:14:41 +0000

Was this vulnerability reported to the Sage authors?

By: david.kierznowski

david.kierznowski — Thu, 09 Nov 2006 21:50:28 +0000

Rick, thanks for checking that. I have corrected the missing ). I have also included an alert(’blah’) into the Windows exploit.

By: kd

kd — Thu, 09 Nov 2006 19:32:41 +0000

I too cannot get the alert(’blah’) to work. Any ideas?