lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue Dec 20 02:02:58 2005
From: andfarm at gmail.com (Andrew Farmer)
Subject: LiveJournal CSS/JS injection vulnerability

SUMMARY
----------------------------------------------------------------------
The popular Livejournal[1] social networking software contained an
error which allowed for the inclusion of Javascript in user-supplied
content.

[1] http://www.livejournal.org/, http://www.livejournal.com/


BACKGROUND
----------------------------------------------------------------------
"LiveJournal is an online journal service with an emphasis on user
interaction."[2] It has historically had a relatively restrictive
attitude toward user-supplied web content, opting to not allow users
to include active content such as embedded plugins and scripts. This
attitude has generally prevented the creation and spread of malicious
content, such as the two worms which appeared on MySpace in recent
months. However, this position also requires that content be carefully
parsed - and a recent discovery showed that their code has its issues.

[2] http://www.livejournal.com/support/faqbrowse.bml?faqid=56


DESCRIPTION
----------------------------------------------------------------------
Livejournal parses all user-supplied HTML through a script called
cleanhtml.pl (located at livejournal/cgi-bin/cleanhtml.pl). All HTML
attributes containing the literal text 'javascript' are stripped by
default. However, if the cleancss option is enabled - which it is in
most installations, including the one at livejournal.com - style
attributes will have slashes stripped after the check for the text
'javascript' is made, causing a style property containing the text
'java\script' to be modified to 'javascript' and passed through. As
many web browsers allow "javascript:" to be used as a pseudo-URI, this
allows for the creation of content that will execute arbitrary script
code on a user's browser when viewed.

For example, the HTML content

<span style="background:url('javas\cript:(function
	x(){alert(&quot;boo&quot;)})();');">test</span>

will be accepted by an unpatched LiveJournal installation; the slash
will be removed, causing a dialog to be displayed when the content is
viewed.


FIXES
----------------------------------------------------------------------
As of 7 Dec 2005, LiveJournal CVS contains a fix to this issue:
cleanhtml.pl now searches for the text 'javascript' in CSS *after*
stripping slashes:

> --- cgi-bin/cleanhtml.pl	22 Oct 2005 03:17:05 -0000	1.129
> +++ cgi-bin/cleanhtml.pl	7 Dec 2005 08:50:41 -0000	1.130
> @@ -319,7 +319,7 @@
>                          $hash->{$attr} =~ s/\\//g;
>
>                          # and catch the obvious ones ("[" is for  
> things like document["coo"+"kie"]
> -                        foreach my $css ("/*", "[", qw(absolute  
> fixed expression eval behavior cookie document window)) {
> +                        foreach my $css ("/*", "[", qw(absolute  
> fixed expression eval behavior cookie document window javascript)) {
>                              if ($hash->{$attr} =~ /\Q$css\E/i) {
>                                  delete $hash->{$attr};
>                                  next ATTR;

All sites using the LiveJournal code are urged to upgrade, or apply
this patch, as soon as possible.


ACKNOWLEDGEMENTS
----------------------------------------------------------------------
The author would like to acknowledge Hoshikuzu Stardust (st4rdust at
gmail.com) for reporting a related issue involving the escaping of
control characters in CSS; this vulnerability was discovered during
experimentation and testing regarding that issue.


HISTORY
----------------------------------------------------------------------
Discovery: circa 5 Dec 2005

Vendor notified: 5 Dec 2005

Patch implemented: 7 Dec 2005

Public disclosure: 19 Dec 2005


AUTHOR
----------------------------------------------------------------------
Andrew Farmer is a student at Harvey Mudd College.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051219/20420fac/PGP.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ