OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?

[ Lists Home | Date Index | Thread Index ]

> The subject asks the question.   Given the disasters that 
> have come of sending attachments in email, what are the 
> potentials for sending script-laden media via RSS?

I had posted some exploits that I made for some of the more popular feed 
readers about two years ago and nobody blinked at the time. The two key 
rules that I found were (a) trust the site that you are subscribing to 
and (b) trust the template you are using. These are pretty obvious-- but 
at the time there were a lot of people converting mailing lists to 
feeds-- a rogue email to a list was a tunnel straight into the RSS 
application. Most of the feed readers at the time did make attempts to 
strip out scripts and other such info-- but those can always be 
manipulated to create the script just by assuming the right processing 
steps. In the case of templates it was even easier because many engines 
used XSLT on the back end-- adding in some EXSLT or Microsoft extensions 
allowed you to execute Javascript out of the browser sandbox which 
allowed for ActiveX calls and all of the classic script kiddie attacks.

I haven't gone through the paces for a while now though... one would 
hope it has tightened up a bit...

Jeff Rafter


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS