HTML Injection into RSS reader
Reported by
jm.acun...@gmail.com,
Jan 11 2017
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce the problem: We can close the <title> tag and thus manipulate the entire xml document in the adobe.com domain. In this example I show a single item but I could add as many as I wanted by modifying the value of the itemsPerPage parameter https://color.adobe.com/rss/search.cfm?searchQuery=HTML Injection into RSS reader (II)</title><item><title>HTML Injection into RSS reader (II)</title><link>https://bughunter.withgoogle.com/profile/0d0d6514-b648-4105-b73a-bbed4352e9bc</link><description><![CDATA[ <h4><font color='brown'>Perfil</font></h4> Tras terminar mi formacion de estudios superiores, me especialice en la programacion en tecnologia web.<p> Desde entonces trabajo como analista-programador en la empresa Baratz, Servicios de Teledocumentacion.</p>Tambien formo parte del equipo de nuevas tecnologias de la empresa Finanser Asesores y soy webmaster de la firma delPueyoDiaz.<p>Muy interesado en tecnologia movil.</p> <h4><font color='brown'>Entornos web</font></h4> (X)HTML, HTML5, CSS 2, CSS3, Javascript, AJAX, JQuery, cross-browser, xml, xslt, estanadarizacion w3c, JQuery Mobile, Sencha Touch 2.0 (Mobile App Development Platform).<p> <img border='1' title='profile' src='https://media.licdn.com/mpr/mpr/shrinknp_200_200/p/8/000/1ce/09e/0c204d9.jpg' height='100' hspace='20' vspace='0'><a href='https://bughunter.withgoogle.com/profile/0d0d6514-b648-4105-b73a-bbed4352e9bc'><strong>jm.acuna73@gmail.com</strong></a></p> ]]></description><pubDate> Thu, 01 Dec 2016 14:50:58 GMT</pubDate><author><![CDATA[Hack jm.acuna73@gmail.com]]></author></item><title>'HTML Injection into RSS reader (II)&key=4EA137CD2D1440A2CF7CA183070D11F7&itemsPerPage=1 Tested on Mozilla Firefox 50.1.0, Google Chrome VersiĆ³n 55.0.2883.87 m with extension https://chrome.google.com/webstore/detail/rss-subscription-extensio/nlbjncdgjeocebhnmkbbbdekmmmcbfjd and Internet Explorer 11 What is the expected behavior? The feed reader should be able to escape certain characters What went wrong? I can manipulate the entire contents of the xml document WebStore page: https://chrome.google.com/webstore/detail/rss-subscription-extensio/nlbjncdgjeocebhnmkbbbdekmmmcbfjd Did this work before? N/A Chrome version: 55.0.2883.87 Channel: stable OS Version: 6.3 Flash Version: Shockwave Flash 24.0 r0
,
Jan 13 2017
Sorry, this is an XML injection flaw in Adobe's website. The Adobe team is also aware of the bug.
,
Jan 16 2017
,
Jan 23 2017
Thank you for providing more feedback. Adding requester "kkaluri@chromium.org" for another review and adding "Needs-Review" label for tracking. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 13 2017
Cleaning up "Needs-Review" label as we are not using this label for triage. Ref bug 684919
,
Mar 13 2017
,
Mar 15 2018
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by kkaluri@chromium.org
, Jan 13 2017Labels: Needs-Feedback