Paid Advertising is
ha.ckers sla.cking
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Date: December 28, 2008 07:03AM

Hello sla.ckers :)

I found an 0day exploit in MagpieRSS, a PHP based RSS reader, there has been a few found before, but this is something completely different.

To get this to work, you need to have a website set up, or a home computer running Apache.

Basically, when MagpieRSS parses the XML tags, anything inside the CDATA tags are not escaped, using htmlentities() or any other form of escaping.

This means, we can craft a malicious RSS feed, for example:

This RSS feed contains a cookie stealer inside the CDATA. If this feed is added into MagpieRSS, an Iframe with the cookie stealer will be loaded, and your cookies will be sent to my logger, set up on my home PC.

The problem is this requires partial social engineering, but to be honest, it's not very difficult to ask an unsuspecting user to add your news feed to his list.

Furthermore, co-running means that I have access to their files, so, if someone has the HBH RSS feed loaded in [I first found this exploit on, so some users may have the HBH feed loaded], I could replace the real one, with my malicious one, and once the MagpieRSS reader reloads, more cookies for me.

Hope someone finds this interesting :)

Options: ReplyQuote

Sorry, only registered users may post in this forum.