CEP extensions have full access to the file system and can run arbitrary applications. Given this kind of privileges, it might be a good idea to take security seriously. So it’s rather counterproductive that the RSSReader sample has a Remote Code Execution vulnerability that could, if somebody actually used that extension, allow a malicious website to take over the user’s system.
item.title is untrusted data, coming from an RSS feed on a potentially malicious website. Here it is being inserted into HTML code without any sanitization, so a malicious title like Malicious<script>cep.process.createProcess(["c:\\windows\\system32\\calc.exe"]);</script> should be able to run the calculator application (untested, might need minor modifications to actually work).
Properly sanitizing RSS data is actually not trivial. I see however that RSS post contents are inserted via a Mustache template, with escaping on. So I guess that correct functioning isn’t the goal here, and maybe the post title could be escaped here in the same way.
On a more general note, using jQuery encourages this kind of vulnerabilities. So maybe the samples shouldn’t use a framework, or they should at least use a framework that doesn’t immediately produce security vulnerabilities if not used carefully.
CEP extensions have full access to the file system and can run arbitrary applications. Given this kind of privileges, it might be a good idea to take security seriously. So it’s rather counterproductive that the RSSReader sample has a Remote Code Execution vulnerability that could, if somebody actually used that extension, allow a malicious website to take over the user’s system.
The issue is in this line:
https://github.com/Adobe-CEP/Samples/blob/2cd368a84e86e9f5c85ad403140a09aaadbb4fd4/RSSReader/js/main.js#L85
item.title
is untrusted data, coming from an RSS feed on a potentially malicious website. Here it is being inserted into HTML code without any sanitization, so a malicious title likeMalicious<script>cep.process.createProcess(["c:\\windows\\system32\\calc.exe"]);</script>
should be able to run the calculator application (untested, might need minor modifications to actually work).Properly sanitizing RSS data is actually not trivial. I see however that RSS post contents are inserted via a Mustache template, with escaping on. So I guess that correct functioning isn’t the goal here, and maybe the post title could be escaped here in the same way.
On a more general note, using jQuery encourages this kind of vulnerabilities. So maybe the samples shouldn’t use a framework, or they should at least use a framework that doesn’t immediately produce security vulnerabilities if not used carefully.