[
Lists Home |
Date Index |
Thread Index
]
> The subject asks the question. Given the disasters that
> have come of sending attachments in email, what are the
> potentials for sending script-laden media via RSS?
I had posted some exploits that I made for some of the more popular feed
readers about two years ago and nobody blinked at the time. The two key
rules that I found were (a) trust the site that you are subscribing to
and (b) trust the template you are using. These are pretty obvious-- but
at the time there were a lot of people converting mailing lists to
feeds-- a rogue email to a list was a tunnel straight into the RSS
application. Most of the feed readers at the time did make attempts to
strip out scripts and other such info-- but those can always be
manipulated to create the script just by assuming the right processing
steps. In the case of templates it was even easier because many engines
used XSLT on the back end-- adding in some EXSLT or Microsoft extensions
allowed you to execute Javascript out of the browser sandbox which
allowed for ActiveX calls and all of the classic script kiddie attacks.
I haven't gone through the paces for a while now though... one would
hope it has tightened up a bit...
Cheers,
Jeff Rafter
|
