# Exploiting External Entities in RSS Feed Readers

Some of you who follow this blog via RSS/Atom may have noticed some strange text
appearing in the feed last week. That was me exploiting external entities in
your feed readers XML parser. The text you may have seen, is this:

```text
!!! WARNING !!!

If you can see this text, your RSS reader is vulnerable to an XML External Entities Exploit as described here: https://mikeknoop.com/lxml-xxe-exploit/

Please contact the vendor of your RSS reader with this information, or alternatively, you can contact me at mike.cardwell@example.com
```

Essentially, I added this to the top of my RSS feed:

```text
<!DOCTYPE title [ <!ELEMENT title ANY > <!ENTITY xxe SYSTEM "https://www.grepular.com/xxe.txt" >]>
```

And appended this to the &lt;description/&gt; tag:

```text
&xxe;
```

After making those changes and monitoring my web logs, I found that a bunch of
[Tiny Tiny RSS](https://tt-rss.org/) readers suddenly started fetching
https://www.grepular.com/xxe.txt. I also noticed that software written using the
Perl module [XML::Feed](https://metacpan.org/pod/XML::Feed) (including my own
custom reader) was also fetching it. Both of these have now been fixed:

[Tiny Tiny RSS bug](https://tt-rss.org/redmine/issues/833)

[XML::Feed bug](https://rt.cpan.org/Public/Bug/Display.html?id=100660)

I've also added a new test to [The Email Privacy
Tester](https://www.emailprivacytester.com/) for this issue. An SVG image is
attached to the test email containing the exploit. If you have written any
software which parses XML, you might want to make sure that external entities
are disabled (unless you specifically know that they shouldn't be).