Flickrizer Exploit

NickE

As the Flickrizer extension does not validate any information it recieves from the rss file, it is easily possible to exploit this and insert js into an account page. For an example of this see my profile. You can see how it's done by viewing the rss 'feed': http://sirnot.googlepages.com/flickr.xml

STE7130

nice :)

NickE

The FeedReader extension, by folletto, also seems to be vulnerable, although is probably less likely to be comprimised as the administrator is the one who chooses the feed url. For an example, if an item is constructed like the following, it will display a message box:<item> <title>Bla </a><script>alert('hi there');</script></title> <link>http://google.com/</link> </item> I am not sure if FlickrFeed suffers from this same vulnerability or not, as I do not know to what extent flickr will 'parse' the info in the php_serial formatted feed.

Mark

Hmmm. Thanks for the heads up. I'll have to do a quick fix...

NickE

It'd probably be easiest to fix by replacing all instances of >, < and " with their html entity equivelents, then making sure urls have a valid protocol. But you'd also want to do something about end parenthesis in the thumbnail url, as people could break out of the url() function-thing and insert some js in the styling. Alternately you could add in qoutes around the url then replace single quotes in the url with entities...

Mark

I was thinking about doing something like removing the need for the entire URL and just having them enter their id parameter from the rss querystring. Then I can just validate that value for number@letter## format like mine: 98748659@N00