Advisory: IceWarp WebMail Server: User-assisted Cross Site Scripting in
RSS Feed Reader
During a penetration test, RedTeam Pentesting discovered that the
IceWarp WebMail Server is prone to user-assisted Cross Site Scripting
attacks in its RSS feed reader. If attackers control or compromise an
RSS feed users are subscribed to, they can run arbitrary JavaScript code
in the users' browsers by embedding it within the feed.
I. BACKGROUND
The Vista sidebar is a desktop extension that allows the user to keep a
number of "gadgets", which are mini-applications, running in constant
view on the desktop. Vista provides a number of default gadgets, such
as a calendar, a weather tool, and an RSS feed reader.
RSS feeds allow a content provider, such as a website, to let others
receive a stream of "headlines" describing content on the provider's
site. The feeds are often updated frequently, and allow a user to
receive information from a site without having to visit it. For
Original URL:
http://securityreason.com/achievement_securityalert/71
- --- 0.Description ---
The SeaMonkey project is a community effort to develop the SeaMonkey all-in-one internet application suite (see below). Such a software suite was previously made popular by Netscape and Mozilla, and the SeaMonkey project continues to develop and deliver high-quality updates to this concept. Containing an Internet browser, email & newsgroup client with an included web feed reader, HTML editor, IRC chat and web development tools, SeaMonkey is sure to appeal to advanced users, web developers and corporate users.
- --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. SeaMonkey has the same dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in Firefox 3.5.4 and fix
allowing a local attacker to execute arbitrary code.
Background
==========
Blam is an RSS and Atom feed reader for GNOME written in C#.
Affected packages
=================
-------------------------------------------------------------------
# Risk : SQL Injection
##########################################################
Description:
Gregarius is a popular web-based RSS/RDF/ATOM feed aggregator
written in php. There are some SQL Injection issues in Gregarius
that allow for the disclosure of database contents and ultimately
the complete compromise of the Gregarius installation via exposed
admin credentials. It is advised that Gregarius users update their
gregarius installations as soon as possible.
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-5837
Duncan Gilmore discovered that yarssr, an RSS aggregator and reader,
performs insufficient input sanitising, which could result in the
execution of arbitrary shell commands if a malformed feed is read.
For the stable distribution (etch), this problem has been fixed in
version 0.2.2-1etch1.
III. BACKGROUND
-------------------------
Back in 2006, there was interesting research done by James Holderness[1] and
James M. Snell[2] which uncovered a variety of XSS issues in various online
feed aggregator services (e.g. Feed Demon). The vulnerability arises from
the fact that it is not expected of RSS readers to render scripted content.
I want to extend that research by doing threat analysis on inbuilt feed
readers offered in most modern browsers. I have found Google Chrome (v2,3)
and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8), Firefox
3.5 and Safari 4 are resilient to the exploits mentioned below.
Debian-specific: no
CVE Id : CVE-2009-4102
Debian Bug : 559267
It was discovered that firefox-sage, a lightweight RSS and Atom feed
reader for Firefox, does not sanitise the RSS feed information
correctly, which makes it prone to a cross-site scripting and a
cross-domain scripting attack.
For the stable distribution (lenny), this problem has been fixed in
to execute arbitrary shell commands.
Background
==========
Newsbeuter is a RSS/Atom feed reader for the text console.
Affected packages
=================
-------------------------------------------------------------------
Hi,
This is a cross-zone scripting vulnerability.
FeedReader uses the IE browser control to render HTML.
The RSS reader converts the RSS item data to a formatted HTML file and
caches it locally.
When the user clicks on the RSS item, the RSS reader displays the local
cached file, and any script in that file (or external references) will run
in Local Zone.
Therefore, an attacker can create/manipulate an RSS feed that will execute
