Google Reader "preview" and "lens" script improper feed validation

Discussion in 'Forum for discussion of ANTICHAT' started by NeMiNeM, 9 Apr 2006.

  1. NeMiNeM

    NeMiNeM Elder - Старейшина

    Joined:
    22 Aug 2005
    Messages:
    480
    Likes Received:
    307
    Reputations:
    201
    Google Reader "preview" and "lens" script improper feed validation
    ===================================================================

    I. DESCRIPTION

    Google Reader (http://www.google.com/reader/) helps organise the contents of
    those rss or atom feeds for which the user is interested in or subscribed
    to. The user instead of continuously checking his/her favorite sites or
    discussion groups for updates, (s)he can let Google Reader do it for them.
    >From news sites to your friends' blogs, Google Reader helps stay
    >up-to-date
    with all the online information that matters most to the user.


    II. VULNERABILITY DETAILS

    Google reader is supposed to display only those contents which the user has
    subscribed to however two vulnerabilities has been identified which may
    allow an attacker to entice it's victim (using google reader service) to
    view unwanted web contents carrying malicious payloads.


    a. Google reader "preview" script improper feed validation (without user
    authentication)
    ----------------------------------------------------------------------------
    ------------
    Google feed reader "preview" script: The script
    (http://www.google.com/reader/preview/*/feed/) is normally used for
    displaying the feed contents within the reader.

    For example, the following request will display the rss content of the link
    http://www.Mcft.com/athome/security/rss/rssfeed.aspx:

    http://www.google.com/reader/preview/*/feed/http://www.Mcft.com/athome/
    security/rss/rssfeed.aspx

    Note: '*' in the above link can be replace with any word of your choice
    otherwise it can be left as it is.

    This 'preview' script is only available to authenticated user but if a
    direct link is provided it doens't ask for user authentication. It can be
    very usefull for an attacker to mount an attack on its victim by directing
    them to view the content of malicious sites (carrying evil payloads).


    b. Google reader "lens" script improper feed validation (with user
    authentication)
    ----------------------------------------------------------------------------
    ------
    Google feed reader "lens" script: The script
    (http://www.google.com/reader/lens/feed/) is normally used for displaying
    contents of only those feeds to which an authenticated user has subscribed
    to.

    However, it is possible to pass any rss / atom feed to the script as
    parameter to which the user has not subscribed but the un-subscribed feed
    contents can still be loaded within the user reader page.

    For example, the following request will display the rss content of the link
    http://www.securityfocus.com/rss/news.xml:
    http://www.google.com/reader/lens/feed/http://www.securityfocus.com/rss/news
    ..xml

    This 'lens' script is only available to authenticated user and can be
    usefull for an attacker to mount an attack on its victim by directing them
    to view the content of malicious sites (carrying evil payloads) even though
    the user is not subscribed to.


    III. VENDOR
    Google.com



    IV. HISTORY
    30th Jan, 2006 - Bug originally discovered
    2nd Feb, 2006 - Vendor Notified
    ....
    ....
    No vendor response
    ....
    ....
    22nd Feb, 2006 - Vendor Notified again
    22nd Feb, 2006 - Public Disclosre


    IV. CREDITS
    Debasis Mohanty
    www.hackingspirits.com

    ----
    I don't know if it still works, but you should try.
     
    1 person likes this.
Loading...