Bugtraq mailing list archives
Code insertion in Blogger comments
From: Antone Roundy <antone () geckotribe com>
Date: Mon, 28 Mar 2005 15:51:57 -0700
Having notified Blogger of this twice over the course of a number of months, and not seeing them take any action (beyond saying that they'll look at it) or warn their users, I think it's time to warn people. Under the following conditions, Blogger weblogs are vulnerable to executable code insertion by third parties:
* Comments must be enabled.* The server must support server-side processing, such as PHP, ASP, SSI, etc. (I'm pretty sure Blogspot-hosted blogs are NOT vulnerable). * The Archive Filename (in the Settings/Archiving tab) must have an extension which triggers server-side processing, such as .php, .asp, .shtml, etc. Depending on one's server configuration, files with extensions like .html and .htm may also be server-side-processed--no particular extension is necessarily safe. * It may be necessary to have individual post pages enabled (also in the Settings/Archiving tab)--I haven't checked where the comments go with that setting off.
Under these circumstances, an attacker may inject executable code into the archive page by posting a comment to the weblog because, while Blogger automatically strips most HTML from comments, they do not strip processing instructions. Blogger should be stripping out EVERYTHING between a "<" and the next ">" unless it is one of the allowed HTML tags, or should be stripping all unapproved HTML and converting any remaining "<" characters that aren't part of approved HTML to <.
Antone Roundy antone () geckotribe com RSS & Atom Tools: http://www.geckotribe.com/rss/ RSS & Atom Feed Directory: http://chordata.geckotribe.com/
Current thread:
- Code insertion in Blogger comments Antone Roundy (Mar 29)
- <Possible follow-ups>
- Code insertion in Blogger comments Antone Roundy (Mar 29)