Back to list
feedsplitter considered harmful
Aug 30 2006 08:09PM
jon jrock us
First, it has a "showsource" function, that discloses its source code to anyone on the Internet. That's probably OK if you haven't made any confidential modification, but certainly not something that much software has built in.
Next, it allows a "format" to be specified in the URL query string. This "format" is used to open an XML file named "$format.xml". $format is checked for "."s in the filename, but if there is a dot in position 0, the check fails and filenames like "../../../../../confidential/data" are passed through and opened. (The name does have .xml appended, though, so you can only read confidential XML files).
Next, this arbitrary XML file is eval()'d a number of times. If file uploads are allowed to a server running this script, anyone can execute arbitrary PHP code. That's a slight security problem, I think :)
Continuing, it appears that the fetched RSS feed from the untrusted Internet is also eval()'d a few times. I'm not sure if code execution can happen or not -- there's some weird "stripslashes(addslashes($data))" going on. I would think that's a NOP, but I'm a Perl Monger, not a PHP hacker, so I don't know what this is doing. Anyway, potentially a problem.
Finally, it appears that any malicious HTML in the RSS feed is passed through, allowing an RSS administator to steal cookies (XSS, etc.) from any site that incorporates the output of feedsplitter. It looks like the feed is being put through "addslashes", but I don't think that escapes HTML. I haven't tested this, though, so YMMV.
Anyway, I recommend that you avoid this script until the above issues have been resolved.
[ reply ]
Copyright 2010, SecurityFocus