ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] LiveJournal CSS/JS injection vulnerability



> ------------------------------
> 
> Message: 13
> Date: Mon, 19 Dec 2005 18:02:46 -0800
> From: Andrew Farmer <andfarm@xxxxxxxxx>
> Subject: [Full-disclosure] LiveJournal CSS/JS injection vulnerability
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Message-ID: <628C9A04-0EA3-4DC0-A593-58D00BA6432C@xxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
> 
> SUMMARY
> ----------------------------------------------------------------------
> The popular Livejournal[1] social networking software contained an
> error which allowed for the inclusion of Javascript in user-supplied
> content.
> 
> [1] http://www.livejournal.org/, http://www.livejournal.com/
> 
> 
> BACKGROUND
> ----------------------------------------------------------------------
> "LiveJournal is an online journal service with an emphasis on user
> interaction."[2] It has historically had a relatively restrictive
> attitude toward user-supplied web content, opting to not allow users
> to include active content such as embedded plugins and scripts. This
> attitude has generally prevented the creation and spread of malicious
> content, such as the two worms which appeared on MySpace in recent
> months. However, this position also requires that content be carefully
> parsed - and a recent discovery showed that their code has its issues.
> 
> [2] http://www.livejournal.com/support/faqbrowse.bml?faqid=56
> 
> 
> DESCRIPTION
> ----------------------------------------------------------------------
> Livejournal parses all user-supplied HTML through a script called
> cleanhtml.pl (located at livejournal/cgi-bin/cleanhtml.pl). All HTML
> attributes containing the literal text 'javascript' are stripped by
> default. However, if the cleancss option is enabled - which it is in
> most installations, including the one at livejournal.com - style
> attributes will have slashes stripped after the check for the text
> 'javascript' is made, causing a style property containing the text
> 'java\script' to be modified to 'javascript' and passed through. As
> many web browsers allow "javascript:" to be used as a pseudo-URI, this
> allows for the creation of content that will execute arbitrary script
> code on a user's browser when viewed.
> 
> For example, the HTML content
> 
> <span style="background:url('javas\cript:(function
>       x(){alert(&quot;boo&quot;)})();');">test</span>
> 
> will be accepted by an unpatched LiveJournal installation; the slash
> will be removed, causing a dialog to be displayed when the content is
> viewed.
> 
> 
> FIXES
> ----------------------------------------------------------------------
> As of 7 Dec 2005, LiveJournal CVS contains a fix to this issue:
> cleanhtml.pl now searches for the text 'javascript' in CSS *after*
> stripping slashes:
> 
> > --- cgi-bin/cleanhtml.pl    22 Oct 2005 03:17:05 -0000      1.129
> > +++ cgi-bin/cleanhtml.pl    7 Dec 2005 08:50:41 -0000       1.130
> > @@ -319,7 +319,7 @@
> >                          $hash->{$attr} =~ s/\\//g;
> >
> >                          # and catch the obvious ones ("[" is for  
> > things like document["coo"+"kie"]
> > -                        foreach my $css ("/*", "[", qw(absolute  
> > fixed expression eval behavior cookie document window)) {
> > +                        foreach my $css ("/*", "[", qw(absolute  
> > fixed expression eval behavior cookie document window javascript)) {
> >                              if ($hash->{$attr} =~ /\Q$css\E/i) {
> >                                  delete $hash->{$attr};
> >                                  next ATTR;
> 
> All sites using the LiveJournal code are urged to upgrade, or apply
> this patch, as soon as possible.
> 
> 
> ACKNOWLEDGEMENTS
> ----------------------------------------------------------------------
> The author would like to acknowledge Hoshikuzu Stardust (st4rdust at
> gmail.com) for reporting a related issue involving the escaping of
> control characters in CSS; this vulnerability was discovered during
> experimentation and testing regarding that issue.
> 
> 
> HISTORY
> ----------------------------------------------------------------------
> Discovery: circa 5 Dec 2005
> 
> Vendor notified: 5 Dec 2005
> 
> Patch implemented: 7 Dec 2005
> 
> Public disclosure: 19 Dec 2005
> 
> 
> AUTHOR
> ----------------------------------------------------------------------
> Andrew Farmer is a student at Harvey Mudd College.
> 
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: PGP.sig
> Type: application/pgp-signature
> Size: 186 bytes
> Desc: This is a digitally signed message part
> Url : 
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments
> /20051219/20420fac/PGP-0001.bin
> 
> ------------------------------




 




Copyright © Lexa Software, 1996-2009.