Secunia released a bulletin yesterday on RSSOwl’s vulnerabilities to scripting attacks inside Atom feeds. (This may be a new problem, or could be old news.)

SPI Dynamics has discovered some vulnerabilities in RSSOwl, which can be exploited by malicious people to conduct script insertion attacks and potentially compromise a user’s system.

The vulnerabilities are caused due to input validation errors in the processing of Atom feeds. This can be exploited to inject and execute arbitrary HTML and script code in context of the Atom feed by tricking a user into adding a malicious Atom feed and then viewing the content of it.

Successful exploitation allows execution of arbitrary script code in the “My Computer” zone on the Microsoft Windows platform.

The vulnerabilities have been confirmed in versions 1.2.1 and 1.2.2. Other versions may also be affected.

I’m mostly a NewsGator Online user these days because of the sheer number of computers I touch on any given day, but I’m still a fan of RSSOwl and Ben Pasero’s work. I emailed him to see if he cares to comment on the bulletin and his plan to address the issues…. I’ll post his response if he provides one below:

Update Sept. 21, 2006

“It is basically not a new deal, but more or less repeating what was already said before with Javascript vulnerabilities. I am a bit surprised that the described issues were reproducable with
RSSOwl 1.2.2, because I did one change that should let the Browser run in a more secure area
(Local Machine Lockdown.) Anyways for the future I am planning to take care about removing
Javascript from the content of a Feed.” - Ben Pasero, lead developer on RSSOwl

This entry was posted on Thursday, September 21st, 2006 at 13:30 and is filed under syndication. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.