Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.This has been cleared by Security Team for public due to Feeds not having a stable release
PuSHSubscriber.inc has print($_GET()) on 221
http://cgit.drupalcode.org/feeds/tree/libraries/PuSHSubscriber.inc?id=7....
elseif ($_GET['hub_mode'] == 'unsubscribe') {
$this->log('Verified "unsubscribe" request.');
$verify = TRUE;
}
if ($verify) {
header('HTTP/1.1 200 "Found"', NULL, 200);
print $_GET['hub_challenge'];
drupal_exit();
}
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | feeds-pub-xss-2495145-7.patch | 6.19 KB | twistor |
| #7 | feeds-pub-xss-2495145-7-should-fail.patch | 1.73 KB | twistor |
| #3 | feeds-pub-xss-2495145-3.patch | 4.46 KB | twistor |
Comments
Comment #1
cashwilliams commentedComment #2
gregglesAs far as I can tell this is reflected XSS that requires no interaction or permissions to trigger.
Feels more like a critical.
Comment #3
twistor commentedAlright, changed things around a bit. The pubsubhubbub standard has changed quite a bit. verify_token is gone. This patch makes the logic much easier to understand.
Uses drupal_random_key(40) for the hmac secret.
check_plains() the challenge. <- This should solve the problem. From what I can tell, there aren't any restrictions on what the verify token can be, but this is the only way to fix the problem.
I have never looked at this code, ugh.
Comment #5
twistor commentedBumping to dev, since that bug that broke the test is already fixed.
Working on a test to verify the fix. Once it's done, I'll make a special release with just this patch in it.
Comment #7
twistor commentedComment #9
klausiNo direct print_r of $_GET anymore, looks good from a visual review.
Comment #11
twistor commented