Correct me if I'm wrong but the following description from
is wrong:
"Attacker-supplied HTML and script code would execute in the context
of the affected website"
Code is NOT executed within the context of the affected site but
rather within LOCAL CONTEXT.
I tested this vulnerability myself, and I can confirm that it allows
you to read arbitrary files from the local filesystem by getting
someone to subscribe to your malicious RSS feed (the feed needs to be
read with Sage Firefox extension). The reason for getting scripting in
the local context is because the feed is stored locally, and then the
injected scripting code is executed.
Furthermore David Kierznowski should also be credited with the
discovery of this vulnerability (in addition to pdp and Kevin
Hamilton):
http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/
Additionally, as an update, there are 2 new cross-context scripting
vulnerabilities found in Sage by David Kierznowski and Rick. Then
again, we have LOCAL CONTEXT SCRIPTING. So forget about restrictions
to running scripts within the context of the vulnerable site:
http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/
http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/#comment-1058
Finally, I'd like to make clear that Firefox *doesn't* show any
security warning when executing JavaScript locally (whereas IE
*does*). So when exploiting this cross-context scripting vulnerability
in Sage, Firefox will show NO SECURITY WARNING to the user whatsoever.
More on Firefox not showing security warnings when launching evil HTML
files locally:
http://www.gnucitizen.org/blog/web-pages-from-hell-2/
--
pagvac
[http://ikwt.com/]