lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 19 Feb 2004 21:18:49 -0000
From: Joshua Miller <jpmiller@....net>
To: bugtraq@...urityfocus.com
Subject: LiveJournal XSS




LiveJournal (www.livejournal.org), an open source software package used to create popular Internet journals such as LiveJournal (www.livejournal.com) and DeadJournal (www.deadjournal.com), is vulnerable to an XSS vulnerability which allows an attacker to execute script code in a user's browser.

The vulnerability arises out of insufficient sanitization of a user-supplied URL pointing to an image that they wish to display as their journal's background. If we were to use the string "www.google.com" as our URL, the following would be inserted into our journal's stylesheet:

body { background-image: url(www.google.com); }

While LiveJournal removes all markup from this string, it does not filter out parentheses or semicolons, thus allowing us to insert JavaScript code into the stylesheet. For example:

); background:url(javascript:alert("XSS!")

If we were to submit the above as our URL, this is what would be inserted into the stylesheet:

body { background-image: url(); background:url(javascript:alert("XSS!")); }

Obviously, this presents a wide range of possible attack methods (redirection, cookie stealing, etc.) The injected code is executed when a victim view's the journal of the attacker. I discovered this vulnerability on Wednesday, Feburary 18, 2004.


Powered by blists - more mailing lists