[40948] in bugtraq
Re: [Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote
daemon@ATHENA.MIT.EDU (SEC Consult Research)
Sat Oct 29 19:40:48 2005
Message-ID: <5216.83.65.90.98.1130422492.squirrel@www.sec-consult.com>
In-Reply-To: <87hdb3gyyy.fsf@mid.deneb.enyo.de>
Date: Thu, 27 Oct 2005 16:14:52 +0200 (CEST)
From: "SEC Consult Research" <research@sec-consult.com>
To: "Florian Weimer" <fw@deneb.enyo.de>
Cc: "Bernhard Mueller" <research@sec-consult.com>,
"Full Disclosure" <full-disclosure@lists.grok.org.uk>,
bugtraq@securityfocus.com
Reply-To: research@sec-consult.com
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
On Thu, October 27, 2005 10:12 am, Florian Weimer said:
> Have you considered in your analysis that malicious servers might
> return HTTP redirects which contain suitable URLs? This requires that
> the offsiteok member is set to true, though, because in the version I
> looked at, only http:// URLs are considered site-local.
Yes, I can confirm this. While I have not thought of this possibility, it
seems to boost the risk coming from the vulnerability.
I found the flaw during a review of Wordpress which uses MagpieRSS which
in turn uses Snoopy. As MagpieRSS is widly used, the concequence is that
any RSS feed-provider can replace the feed with a small redirect script,
exploiting the flaw with a crafted redirect https URL. Doing this with a
highly frequented RSS feed might result in many many servers being
simultaniously compromized. I might add that the offsiteok member defaults
to true and MagpieRSS does not seem to change that default value.
A notice to MagpieRSS has already been sent.
Daniel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Blindengasse 3
A-1080 Wien
Austria
Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com
EOF Daniel Fabian / @2005
d.fabian at sec-consult dot com
