Interesting security notice via PHPSec on vTiger (open source customer relationship management system). Beyond the normal XSS vulnerabilities that were reported was an interesting topic of an exploit that I had not given much thought to before.

The method he refers to here deals with vTigers ability to read in RSS blogs, but no checking is done. Thus, a malicious user could enter "crap" into the blog and trick someone using vTiger to read it in. This "RSS attack" isn't something new, but it doesn't get a lot of press. It should, however, be paid attention to, since the results could be quite detrimential to you and your site...]]> Fri, 25 Nov 2005 06:50:46 -0600