Faulty RSS-feeds

Taking a look at some logs from a RSS-collector two things raised my eyebrows. The first is how many feeds are being served by FeedBurner instead of directly being served by the website it self. The part that worries me is that a lot of those feeds also are about security, privacy and compliance. I think a lot of those people have something to think about in 2012.

The other thing that worries me even more is something I discussed with WordPress developers a couple of years ago and I know others who have done the same with other projects. A lot of projects learned to do input validation, but most of them still need to learn to do output validation. The parser I currently use appears to be very strict luckily and drops a feed when it doesn’€™t parse correctly. Here comes the funny part, other parses like from Google Reader seems to be more forgiving.

When I search for “libxml exploit” on Google Search I get 1.220.000 results back. I didn’t start searching for parsers currently in use, but this doesn’t look very promising. With current hash-issues in mind, how could this be used to be an attack vector? Keep in mind that a lot of sites use FeedBurner to take the load of there site. And yes, FeedBurner doesn’t really clean things up if I may believe my current logs. So the recipe looks like a good exploit to misuse, a high profile WordPress based website with FeedBurner enabled and watch the fireworks.

So maybe it is a good idea for 2012 to see if the parser I’m currently using is up to standard. This can become nasty very quickly if things go wrong. Maybe also a note to others, output validation matters together with input validation. The JavaScript-alert is still a funny one to deploy on websites.

2 thoughts on “Faulty RSS-feeds

  1. Daniel

    FeedBurner does statistics. Developers don’t know how to or do not want to spend time reading their servers’ access logs which would have provided almost all the same data.

  2. Hans Post author

    @Daniel Developers shouldn’t read access logs or maybe they should as most plugins stop giving you a redirect when you identify youself as FeedBurner ;-) Then again, FeedBurner is more then only statistics. They offload your feed in trade for statistics, but what a lot of webmasters forget is that it is forbidden to export personal data overseas for countries within the EU for example. In most cases IP-addresses are included as being personal data as it can be related and retraced to a person. A least that is in The Netherlands an issue.

    But again, developers really should start doing output validation. Making sure it is valide and safe. How many comment feeds are being offered thru FeedBurner and most of them are not sufficient checked. WordPress developers where informed years ago about this years ago and didn’t pay attention until an exploit was posted by some one. With SOPA around the corner things can become interesting to put it mildly ;-)

Comments are closed.