I was looking through the feedsplitter.php script avaiable from
http://chxo.com/software/feedsplitter/, version 2006-01-21 (revision 1.7
according to the RCS $Id$, but that looks out of date) today, and noticed a few
problems. (Background: feedsplitter turns RSS feeds into HTML or javascript so
you can easily embed them in non-dynamic sites.)
First, it has a "showsource" function, that discloses its source code to anyone
on the Internet. That's probably OK if you haven't made any confidential
modification, but certainly not something that much software has built in.
Next, it allows a "format" to be specified in the URL query string. This
"format" is used to open an XML file named "$format.xml". $format is checked
for "."s in the filename, but if there is a dot in position 0, the check fails
and filenames like "../../../../../confidential/data" are passed through and
opened. (The name does have .xml appended, though, so you can only read
confidential XML files).
Next, this arbitrary XML file is eval()'d a number of times. If file uploads
are allowed to a server running this script, anyone can execute arbitrary PHP
code. That's a slight security problem, I think :)
Continuing, it appears that the fetched RSS feed from the untrusted Internet is
also eval()'d a few times. I'm not sure if code execution can happen or not --
there's some weird "stripslashes(addslashes($data))" going on. I would think
that's a NOP, but I'm a Perl Monger, not a PHP hacker, so I don't know what
this is doing. Anyway, potentially a problem.
Finally, it appears that any malicious HTML in the RSS feed is passed through,
allowing an RSS administator to steal cookies (XSS, etc.) from any site that
incorporates the output of feedsplitter. It looks like the feed is being put
through "addslashes", but I don't think that escapes HTML. I haven't tested
this, though, so YMMV.
Anyway, I recommend that you avoid this script until the above issues have been
resolved.
Regards,
Jonathan Rockway
