a notice

Mandatory Upgrade: Feedsplitter 2006-09-19

Mandatory upgrade. This fixes the issues articulated in this post. I'm sorry this took so long to fix, the author was unable to contact me (or didn't try), and I don't follow bugtraq closely. Please click through for details and new code.

This release fixes a damned embarassing directory traversal exploit, whereby an attacker could potentially read any .xml file readable by the webserver user, if they know the exact path.

This release also fixes a potential cross-site scripting exploit.

This release also removes a situation where an attacker could potentially inject php code into the RSS feed. I wasn't able to get this exploit to work, but the potential had to be addressed. This release does not eval() any part of the feed, ever.

Finally, I added a built in test feed to prove that php and xss attacks cannot be embedded in feeds. I heartily welcome any additional tests, please let me know.

If you haven't already "subscribed to this folder" you should. There will be updates, and you'll want to get an email.

The tarball is here: feedsplitter-2006-09-19.tar.gz
md5: 4cd12f22909f5b8641bf0115a76ce6cb

Again, you MUST UPDATE your feedsplitter installation, or stop using it. I apologize, profusely, for the inconvenience.

By Chris Snyder on September 19, 2006 at 8:37pm

jump to top