RealTime IT News

Was at Cross-Site Scripting Risk?

Cross-Site Scripting (XSS) flaws are among the most common type of Web 2.0 vulnerability. They can also occur in RSS and Atom feeds and it could happen to almost anyone. Even IBM.

A Japanese security researcher has alleged that an Atom format syndication feed on was at risk from an XSS attack. The flaw would only have been exploitable for users of Microsoft's Internet Explorer version 6 and has apparently been fixed.

Security researcher Yosuke Hasegawa told that he reported the flaw to IBM through the IPA/ISEC. He said IBM replied on Aug. 30 saying the issue had been corrected.

An IBM spokesperson was not immediately available for comment.

In a public posting to a popular security list, Hasegawa posted a proof of concept URL that, when accessed by Internet Explorer 6.0, would trigger a script to operate.

According to Hasegawa, IE6 cannot understand the "application/atom+xml" header as a Content-Type, which is the path by which the feed can be exploited.

Hasegawa explained that he discovered the flaw while examining the problem that IE 6 disregarded the Atom Content-Type.

"At that time, I noticed the point that it was possible to make an Atom feed interpreted as HTML," Hasegawa said. "By chance, I found the as a site that corresponded to such a case." visitors that were browsing using IE7 or Mozilla Firefox were not at risk because those browsers understand the correct content type for Atom.

"IE7 has the function of RSS/Atom feed reader and it corresponds to 'Content-Type: application/atom+xml'", Hasegawa explained. "Therefore, the Atom feed is never recognized as HTML. Firefox is also similar."

The risk of attacks being embedded in RSS or Atom feeds has been known for over a year. In a presentation at BlackHat 2006, SPI Dynamics Security Engineer Robert Auger described in detail how feeds could be comprised by those with malicious intent.