Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
MagpieRSS XSS
Date: December 28, 2008 07:03AM

Hello sla.ckers :)

I found an 0day exploit in MagpieRSS, a PHP based RSS reader, there has been a few found before, but this is something completely different.

To get this to work, you need to have a website set up, or a home computer running Apache.

Basically, when MagpieRSS parses the XML tags, anything inside the CDATA tags are not escaped, using htmlentities() or any other form of escaping.

This means, we can craft a malicious RSS feed, for example:

http://www.elites0ft.com/poc.xml

This RSS feed contains a cookie stealer inside the CDATA. If this feed is added into MagpieRSS, an Iframe with the cookie stealer will be loaded, and your cookies will be sent to my logger, set up on my home PC.

The problem is this requires partial social engineering, but to be honest, it's not very difficult to ask an unsuspecting user to add your news feed to his list.

Furthermore, co-running HellBoundHackers.org means that I have access to their files, so, if someone has the HBH RSS feed loaded in [I first found this exploit on EnigmaGroup.org, so some users may have the HBH feed loaded], I could replace the real one, with my malicious one, and once the MagpieRSS reader reloads, more cookies for me.

Hope someone finds this interesting :)
-System.

Options: ReplyQuote


Sorry, only registered users may post in this forum.