RealTime IT News

Was IBM.com at Cross-Site Scripting Risk?

Cross-Site Scripting (XSS) flaws are among the most common type of Web 2.0 vulnerability. They can also occur in RSS and Atom feeds and it could happen to almost anyone. Even IBM.

A Japanese security researcher has alleged that an Atom format syndication feed on IBM.com was at risk from an XSS attack. The flaw would only have been exploitable for users of Microsoft's Internet Explorer version 6 and has apparently been fixed.

Security researcher Yosuke Hasegawa told InternetNews.com that he reported the flaw to IBM through the IPA/ISEC. He said IBM replied on Aug. 30 saying the issue had been corrected.

An IBM spokesperson was not immediately available for comment.

In a public posting to a popular security list, Hasegawa posted a proof of concept URL that, when accessed by Internet Explorer 6.0, would trigger a script to operate.

According to Hasegawa, IE6 cannot understand the "application/atom+xml" header as a Content-Type, which is the path by which the feed can be exploited.

Hasegawa explained that he discovered the IBM.com flaw while examining the problem that IE 6 disregarded the Atom Content-Type.

"At that time, I noticed the point that it was possible to make an Atom feed interpreted as HTML," Hasegawa said. "By chance, I found the IBM.com as a site that corresponded to such a case."

IBM.com visitors that were browsing using IE7 or Mozilla Firefox were not at risk because those browsers understand the correct content type for Atom.

"IE7 has the function of RSS/Atom feed reader and it corresponds to 'Content-Type: application/atom+xml'", Hasegawa explained. "Therefore, the Atom feed is never recognized as HTML. Firefox is also similar."

The risk of attacks being embedded in RSS or Atom feeds has been known for over a year. In a presentation at BlackHat 2006, SPI Dynamics Security Engineer Robert Auger described in detail how feeds could be comprised by those with malicious intent.