Correct me if I'm wrong but the following description from <http://www.securityfocus.com/bid/19928/discuss> is wrong: "Attacker-supplied HTML and script code would execute in the context of the affected website" Code is NOT executed within the context of the affected site but rather within LOCAL CONTEXT. I tested this vulnerability myself, and I can confirm that it allows you to read arbitrary files from the local filesystem by getting someone to subscribe to your malicious RSS feed (the feed needs to be read with Sage Firefox extension). The reason for getting scripting in the local context is because the feed is stored locally, and then the injected scripting code is executed. Furthermore David Kierznowski should also be credited with the discovery of this vulnerability (in addition to pdp and Kevin Hamilton): http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/ Additionally, as an update, there are 2 new cross-context scripting vulnerabilities found in Sage by David Kierznowski and Rick. Then again, we have LOCAL CONTEXT SCRIPTING. So forget about restrictions to running scripts within the context of the vulnerable site: http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/ http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/#comment-1058 Finally, I'd like to make clear that Firefox *doesn't* show any security warning when executing JavaScript locally (whereas IE *does*). So when exploiting this cross-context scripting vulnerability in Sage, Firefox will show NO SECURITY WARNING to the user whatsoever. More on Firefox not showing security warnings when launching evil HTML files locally: http://www.gnucitizen.org/blog/web-pages-from-hell-2/ -- pagvac [http://ikwt.com/]
