On Thu, October 27, 2005 10:12 am, Florian Weimer said: > Have you considered in your analysis that malicious servers might > return HTTP redirects which contain suitable URLs? This requires that > the offsiteok member is set to true, though, because in the version I > looked at, only http:// URLs are considered site-local. Yes, I can confirm this. While I have not thought of this possibility, it seems to boost the risk coming from the vulnerability. I found the flaw during a review of Wordpress which uses MagpieRSS which in turn uses Snoopy. As MagpieRSS is widly used, the concequence is that any RSS feed-provider can replace the feed with a small redirect script, exploiting the flaw with a crafted redirect https URL. Doing this with a highly frequented RSS feed might result in many many servers being simultaniously compromized. I might add that the offsiteok member defaults to true and MagpieRSS does not seem to change that default value. A notice to MagpieRSS has already been sent. Daniel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF Daniel Fabian / @2005 d.fabian at sec-consult dot com
