New issue
Advanced search Search tips

Issue 680044 link

Starred by 1 user

Issue metadata

Status: Archived
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

HTML Injection into RSS reader

Reported by jm.acun...@gmail.com, Jan 11 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce the problem:

We can close the <title> tag and thus manipulate the entire xml document in the adobe.com domain.
In this example I show a single item but I could add as many as I wanted by modifying the value of the itemsPerPage parameter

https://color.adobe.com/rss/search.cfm?searchQuery=HTML Injection into RSS reader (II)</title><item><title>HTML Injection into RSS reader (II)</title><link>https://bughunter.withgoogle.com/profile/0d0d6514-b648-4105-b73a-bbed4352e9bc</link><description><![CDATA[
<h4><font color='brown'>Perfil</font></h4>
Tras terminar mi formacion de estudios superiores, me especialice en la programacion en tecnologia web.<p> Desde entonces trabajo como analista-programador en la empresa Baratz, Servicios de Teledocumentacion.</p>Tambien formo parte del equipo de nuevas tecnologias de la empresa Finanser Asesores y soy webmaster de la firma delPueyoDiaz.<p>Muy interesado en tecnologia movil.</p>
<h4><font color='brown'>Entornos web</font></h4>
(X)HTML, HTML5, CSS 2, CSS3, Javascript, AJAX, JQuery, cross-browser, xml, xslt, estanadarizacion w3c, JQuery Mobile, Sencha Touch 2.0 (Mobile App Development Platform).<p>
<img border='1' title='profile' src='https://media.licdn.com/mpr/mpr/shrinknp_200_200/p/8/000/1ce/09e/0c204d9.jpg' height='100' hspace='20' vspace='0'><a href='https://bughunter.withgoogle.com/profile/0d0d6514-b648-4105-b73a-bbed4352e9bc'><strong>jm.acuna73@gmail.com</strong></a></p>
]]></description><pubDate> Thu, 01 Dec 2016 14:50:58 GMT</pubDate><author><![CDATA[Hack jm.acuna73@gmail.com]]></author></item><title>'HTML Injection into RSS reader (II)&key=4EA137CD2D1440A2CF7CA183070D11F7&itemsPerPage=1

Tested on Mozilla Firefox 50.1.0, Google Chrome Versión 55.0.2883.87 m with extension https://chrome.google.com/webstore/detail/rss-subscription-extensio/nlbjncdgjeocebhnmkbbbdekmmmcbfjd
and Internet Explorer 11

What is the expected behavior?
The feed reader should be able to escape certain characters

What went wrong?
I can manipulate the entire contents of the xml document

WebStore page: https://chrome.google.com/webstore/detail/rss-subscription-extensio/nlbjncdgjeocebhnmkbbbdekmmmcbfjd

Did this work before? N/A 

Chrome version: 55.0.2883.87  Channel: stable
OS Version: 6.3
Flash Version: Shockwave Flash 24.0 r0
 
Cc: kkaluri@chromium.org
Labels: Needs-Feedback
jm.acuna73@ could you please explain more elaborately on the issue you are facing and provide us the detailed steps to reproduce the issue.

Thank You....
Sorry, this is an XML injection flaw in Adobe's website.
The Adobe team is also aware of the bug.

Comment 3 by ajha@chromium.org, Jan 16 2017

Labels: Needs-Triage-M55
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 23 2017

Labels: -Needs-Feedback Needs-Review
Owner: kkaluri@chromium.org
Thank you for providing more feedback. Adding requester "kkaluri@chromium.org" for another review and adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by cda...@chromium.org, Mar 13 2017

Cleaning up "Needs-Review" label as we are not using this label for triage. Ref  bug 684919 

Comment 6 by cda...@chromium.org, Mar 13 2017

Labels: -Needs-Review
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 15 2018

Status: Archived (was: Unconfirmed)
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment