Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Wrapping Scripted Media in RSS: Secure?
 > The subject asks the question. Given the disasters that > have come of sending attachments in email, what are the > potentials for sending script-laden media via RSS? I had posted some exploits that I made for some of the more popular feed readers about two years ago and nobody blinked at the time. The two key rules that I found were (a) trust the site that you are subscribing to and (b) trust the template you are using. These are pretty obvious-- but at the time there were a lot of people converting mailing lists to feeds-- a rogue email to a list was a tunnel straight into the RSS application. Most of the feed readers at the time did make attempts to strip out scripts and other such info-- but those can always be manipulated to create the script just by assuming the right processing steps. In the case of templates it was even easier because many engines used XSLT on the back end-- adding in some EXSLT or Microsoft extensions allowed you to execute Javascript out of the browser sandbox which allowed for ActiveX calls and all of the classic script kiddie attacks. I haven't gone through the paces for a while now though... one would hope it has tightened up a bit... Cheers, Jeff Rafter 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
