lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <D64AC92E-A099-11D9-807D-003065EA6144@geckotribe.com>
Date: Tue, 29 Mar 2005 14:30:56 -0700
From: Antone Roundy <antone@...kotribe.com>
To: bugtraq@...urityfocus.com
Subject: Code insertion in Blogger comments


Having notified Blogger of this twice--once early last October and 
again mid-January of this year--and not seeing them take any action 
(beyond saying that they'll look at it) or warn their users, I think 
it's time to warn people.  Under the following conditions, Blogger 
weblogs are vulnerable to executable code insertion by third parties:

* Comments must be enabled.
* The server must support server-side processing, such as PHP, ASP, 
SSI, etc. (I'm pretty sure Blogspot-hosted blogs are NOT vulnerable).
* The Archive Filename (in the Settings/Archiving tab) must have an 
extension which triggers server-side processing, such as .php, .asp, 
.shtml, etc.  Depending on one's server configuration, files with 
extensions like .html and .htm may also be server-side-processed--no 
particular extension is necessarily safe.
* It may be necessary to have individual post pages enabled (also in 
the Settings/Archiving tab)--I haven't checked where the comments go 
with that setting off.

Under these circumstances, an attacker may inject executable code into 
the archive page by posting a comment to the weblog because, while 
Blogger automatically strips most HTML from comments, they do not strip 
processing instructions.  Blogger should be stripping out EVERYTHING 
between a "<" and the next ">" unless it is one of the allowed HTML 
tags, or should be stripping all unapproved HTML and converting any 
remaining "<" characters that aren't part of approved HTML to &lt;.

Antone Roundy
antone@...kotribe.com

RSS & Atom Tools: http://www.geckotribe.com/rss/
RSS & Atom Feed Directory: http://chordata.geckotribe.com/



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ