2006-09-11.19:07:00.plagger_vulnerability

So here's the explanation of what is wrong with plagger for those who didn't see my talk at YAPC::EU. Plagger is a very flexible aggregator which can be used to aggregate rss and atom feeds. By using the planet plugin, one can build an html page containing all the feeds one wants aggregated in one convenient place. An example would be the YAPC::EU planet. Planet plagger uses a module HTML::Scrubber to supposedly remove any dangerous javascript. This atom feed will bypass Planet plagger's filters and allow arbitrary javascript in various elements. As well, plagger, and in fact most RSS/Atom feed readers are vulnerable to cross site request forgery, which this feed will also demonstrate by changing the ASCII name and email address of anyone with cached CPAN credentials who happens to see it. An example of this can be seen here which has been generated from this atom feed. This is made even more dangerous if as in the YAPC::EU planet the feeds are automatically found on a search engine like technorati based upon some well known tag.