Grepular

Exploiting External Entities in RSS Feed Readers

Written 10 years ago by Mike Cardwell

Some of you who follow this blog via RSS/Atom may have noticed some strange text appearing in the feed last week. That was me exploiting external entities in your feed readers XML parser. The text you may have seen, is this:

!!! WARNING !!!

If you can see this text, your RSS reader is vulnerable to an XML External Entities Exploit as described here: [http://mikeknoop.com/lxml-xxe-exploit/](http://mikeknoop.com/lxml-xxe-exploit/)

Please contact the vendor of your RSS reader with this information, or alternatively, you can contact me at mike.cardwell@example.com

Essentially, I added this to the top of my RSS feed:

<!DOCTYPE title [ <!ELEMENT title ANY > <!ENTITY xxe SYSTEM "https://grepular.com/xxe.txt" >]>

And appended this to the <description/> tag:

&xxe;

After making those changes and monitoring my web logs, I found that a bunch of Tiny Tiny RSS readers suddenly started fetching https://grepular.com/xxe.txt. I also noticed that software written using the Perl module XML::Feed (including my own custom reader) was also fetching it. Both of these have now been fixed:

Tiny Tiny RSS bug

XML::Feed bug

I’ve also added a new test to The Email Privacy Tester for this issue. An SVG image is attached to the test email containing the exploit. If you have written any software which parses XML, you might want to make sure that external entities are disabled (unless you specifically know that they shouldn’t be).

Want to leave a tip?BitcoinMoneroZcashPaypalYou can follow this Blog using RSS. To read more, visit my blog index.