Cross-Site Scripting (XSS)flaws are among the most common type
of Web 2.0 vulnerability. They can also occur in RSS and Atom feeds and it
could happen to almost anyone. Even IBM.
A Japanese security researcher has alleged that an Atom format syndication
feed on IBM.com was at risk from an XSS attack. The flaw would only have
been exploitable for users of Microsoft’s Internet Explorer version 6 and
has apparently been fixed.
Security researcher Yosuke Hasegawa told InternetNews.com that he reported the flaw to IBM through the IPA/ISEC. He said IBM replied on Aug. 30 saying the issue had been corrected.
An IBM spokesperson was not immediately available for comment.
In a public posting to a popular security list, Hasegawa posted a proof of
concept URL that, when accessed by Internet Explorer 6.0, would trigger a script to operate.
According to Hasegawa, IE6 cannot understand the “application/atom+xml”
header as a Content-Type, which is the path by which the feed can be
exploited.
Hasegawa explained that he discovered the IBM.com flaw while examining the
problem that IE 6 disregarded the Atom Content-Type.
“At that time, I noticed the point that it was possible to make an Atom feed
interpreted as HTML,” Hasegawa said. “By chance, I found the IBM.com as a
site that corresponded to such a case.”
IBM.com visitors that were browsing using IE7 or Mozilla Firefox were not at
risk because those browsers understand the correct content type for Atom.
“IE7 has the function of RSS/Atom feed reader and it corresponds to
‘Content-Type: application/atom+xml'”, Hasegawa explained. “Therefore, the
Atom feed is never recognized as HTML. Firefox is also similar.”
The risk of attacks being embedded in RSS or Atom feeds has been known for
over a year. In a presentation
at BlackHat 2006, SPI Dynamics Security Engineer Robert Auger described
in detail how feeds could be comprised by those with malicious intent.