Mailinglist Archive: opensuse-factory (443 mails)

< Previous Next >
Re: [opensuse-factory] New package 'opensuse-welcome' to Factory
Hi,

Am Mittwoch, 10. Juli 2019, 21:00:17 CEST schrieb Fabian Vogt:
I had quick look at the code and notices that it makes use of HTML and
friends.
It seems to load RSS data over HTTP (no TLS) and shows the latest entry
in the
page. If there's some vulnerability found in the RSS entry display,
arbitrary
code can be executed using launcher.launch("foo").

Changed to use HTTPS now.

IMO not enough, would it be possible to add some extra steps for sanitation?

So, I just had a more in-depth look and it's absolutely crazy how the RSS
display is implemented.

Instead of fetching the RSS XML document from news.opensuse.org directly,
it does a query to
https://www.feedrapp.info/?callback=...&q=https%3A%2F%2Fnews.opensuse.org%2Ffeed&num=1&_=1562954857632
which returns a javascript document, which is then directly eval'd in the
global context.

So by opening this application the user effectively gives www.feedrapp.info
full access to his local user account, they just need to return
"launcher.launch('kdialog --msgbox Pwned')".

Alternatively, a post with the title containing
"&lt;script&gt;console.log("pwned")&lt;/script&gt;"
on news.opensuse.org would also lead to a similar result as there is
no HTML escaping whatsoever.

I reported those issues to jquery-rss upstream:
https://github.com/sdepold/jquery-rss/issues/152

So please fix this before including the package in the distribution,
preferably by disabling all access to outside sources by default.

Thanks,
Fabian

Cheers,
Fabian


--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups