Closed Bug 1330256 Opened 8 years ago Closed 8 years ago

HTML Injection into RSS reader (II)

Categories

(Firefox :: Untriaged, defect)

53 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: jm.acuna73, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce: This time we can close the <title> tag and thus manipulate the entire xml document in the adobe.com domain. In this example I show a single item but I could add as many as I wanted by modifying the value of the itemsPerPage parameter https://color.adobe.com/rss/search.cfm?searchQuery=HTML Injection into RSS reader (II)</title><item><title>HTML Injection into RSS reader (II)</title><link>https://bughunter.withgoogle.com/profile/0d0d6514-b648-4105-b73a-bbed4352e9bc</link><description><![CDATA[ <h4><font color='brown'>Perfil</font></h4> Tras terminar mi formacion de estudios superiores, me especialice en la programacion en tecnologia web.<p> Desde entonces trabajo como analista-programador en la empresa Baratz, Servicios de Teledocumentacion.</p>Tambien formo parte del equipo de nuevas tecnologias de la empresa Finanser Asesores y soy webmaster de la firma delPueyoDiaz.<p>Muy interesado en tecnologia movil.</p> <h4><font color='brown'>Entornos web</font></h4> (X)HTML, HTML5, CSS 2, CSS3, Javascript, AJAX, JQuery, cross-browser, xml, xslt, estanadarizacion w3c, JQuery Mobile, Sencha Touch 2.0 (Mobile App Development Platform).<p> <img border='1' title='profile' src='https://media.licdn.com/mpr/mpr/shrinknp_200_200/p/8/000/1ce/09e/0c204d9.jpg' height='100' hspace='20' vspace='0'><a href='https://bughunter.withgoogle.com/profile/0d0d6514-b648-4105-b73a-bbed4352e9bc'><strong>jm.acuna73@gmail.com</strong></a></p> ]]></description><pubDate> Thu, 01 Dec 2016 14:50:58 GMT</pubDate><author><![CDATA[Hack jm.acuna73@gmail.com]]></author></item><title>'HTML Injection into RSS reader (II)&key=4EA137CD2D1440A2CF7CA183070D11F7&itemsPerPage=1 Tested on Mozilla Firefox 50.1.0, Google Chrome Versión 55.0.2883.87 m with extension https://chrome.google.com/webstore/detail/rss-subscription-extensio/nlbjncdgjeocebhnmkbbbdekmmmcbfjd and Internet Explorer 11 Actual results: I can manipulate the entire contents of the xml document Expected results: The feed reader should be able to escape certain characters
This is an XML injection flaw in Adobe's website. The actual XML document contains your markup, and so we parse it correctly, because it's what the server gives us. You can see this both if you 'view source' on the feed and if you fetch it with e.g. curl (I used a shorter version of your example, and URI escaped it for use in the terminal): $ curl 'https://color.adobe.com/rss/search.cfm?searchQuery=HTML%20Injection%20into%20RSS%20reader%20(II)%3C%2Ftitle%3E%3Citem%3E%3Ctitle%3EHTML%20Injection%20into%20RSS%20reader%20(II)%3C%2Ftitle%3E%3Clink%3Ehttps%3A%2F%2Fbughunter.withgoogle.com%2Fprofile%2F0d0d6514-b648-4105-b73a-bbed4352e9bc%3C%2Flink%3E%3Cdescription%3E%3C!%5BCDATA%5B%20Hello%20%5D%5D%3E%3C%2Fdescription%3E%3CpubDate%3E%20Thu%2C%2001%20Dec%202016%2014%3A50%3A58%20GMT%3C%2FpubDate%3E%3Cauthor%3E%3C!%5BCDATA%5BHack%20jm.acuna73%40gmail.com%5D%5D%3E%3C%2Fauthor%3E%3C%2Fitem%3E%3Ctitle%3EHTML%20Injection%20into%20RSS%20reader%20(II)&key=4EA137CD2D1440A2CF7CA183070D11F7&itemsPerPage=1' <?xml version="1.0" encoding="UTF-8"?> <rss xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:rss="http://blogs.law.harvard.edu/tech/rss" xmlns:kuler="http://kuler.adobe.com/kuler/API/rss/" version="2.0"> <channel> <title>kuler search results for 'HTML Injection into RSS reader (II)</title><item><title>HTML Injection into RSS reader (II)</title><link>https://bughunter.withgoogle.com/profile/0d0d6514-b648-4105-b73a-bbed4352e9bc</link><description><![CDATA[ Hello ]]></description><pubDate> Thu, 01 Dec 2016 14:50:58 GMT</pubDate><author><![CDATA[Hack jm.acuna73@gmail.com]]></author></item><title>HTML Injection into RSS reader (II)'</title> <link>https://color.adobe.com</link> <description>0 kuler themes were found. Displaying results 1 to 1.</description> <language>en-us</language> <pubDate/> <lastBuildDate/> <docs>http://blogs.law.harvard.edu/tech/rss</docs> <generator>Kuler Services</generator> <managingEditor>kulerfeedback@adobe.com</managingEditor> <webMaster>kulerfeedback@adobe.com</webMaster> <recordCount>0</recordCount> <startIndex>0</startIndex> <itemsPerPage>1</itemsPerPage> </channel> </rss> For this to be a Firefox bug, the </title> closing would have to have been XML-escaped by the server, which it hasn't been. Marking INVALID because it's not a Firefox bug (which also explains why you can reproduce it elsewhere!). I suggest you report it to Adobe instead. Keeping sec-sensitive because they might want to fix it before it's public.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Thanks Gijs, the Adobe team is also aware of the bug.
Group: firefox-core-security → core-security-release
It can be made public. The bug has been fixed by the Adobe team: https://hackerone.com/reports/187648 Thanks!
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.