[typo] XSS vulnerability?

Micah Wylde wyldeone at gmail.com
Sat Nov 26 18:41:23 EST 2005


JS in comments works on my trunk blog as well. Here's an example of what a
commenter can do with this:
<script type="text/javascript">
element = $("wrapper")
Element.hide(element);
</script>
This causes the whole page to disappear. If this works in production blogs,
this appears to be a pretty serious hole.

On 11/26/05, gpshewan <gpsnospam at gmail.com> wrote:
>
> Is this what your after Scott?
>
> $ rake
> /usr/bin/ruby1.8 -Ilib:test "/usr/lib/ruby/gems/1.8/gems/rake-0.6.2/
> lib/rake/rak
> e_test_loader.rb" "test/unit/article_test.rb" "test/unit/
> blacklist_pattern_test.
> rb" "test/unit/category_test.rb" "test/unit/comment_test.rb" "test/
> unit/configur
> ation_test.rb" "test/unit/delicious_test.rb" "test/unit/
> flickr_test.rb" "test/un
> it/fortythree_test.rb" "test/unit/page_cache_test.rb" "test/unit/
> page_test.rb" "
> test/unit/ping_test.rb" "test/unit/resource_test.rb" "test/unit/
> setting_test.rb"
> "test/unit/sidebar_test.rb" "test/unit/theme_test.rb" "test/unit/
> trackback_test
> .rb" "test/unit/user_test.rb" "test/unit/audioscrobbler_test.rb"
> "test/unit/obse
> rver_test.rb" "test/unit/tag_test.rb" "test/unit/text_filter_test.rb"
> /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:18:in
> `require__': no su
> ch file to load -- http_mock (MissingSourceFile)
>          from /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:
> 18:in `requ
> ire'
>          from /usr/lib/ruby/gems/1.8/gems/activesupport-1.2.3/lib/
> active_support/
> dependencies.rb:214:in `require'
>          from ./test/unit/article_test.rb:3
>          from /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> rake_test_loader.rb
> :5:in `load'
>          from /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> rake_test_loader.rb
> :5
>          from /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> rake_test_loader.rb
> :5:in `each'
>          from /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> rake_test_loader.rb
> :5
> /usr/bin/ruby1.8 -Ilib:test "/usr/lib/ruby/gems/1.8/gems/rake-0.6.2/
> lib/rake/rak
> e_test_loader.rb" "test/functional/accounts_controller_test.rb" "test/
> functional
> /articles_controller_test.rb" "test/functional/
> backend_controller_test.rb" "test
> /functional/theme_controller_test.rb" "test/functional/
> xml_controller_test.rb" "
> test/functional/textfilter_controller_test.rb" "test/functional/admin/
> blacklist_
> controller_test.rb" "test/functional/admin/
> categories_controller_test.rb" "test/
> functional/admin/comments_controller_test.rb" "test/functional/admin/
> content_con
> troller_test.rb" "test/functional/admin/general_controller_test.rb"
> "test/functi
> onal/admin/themes_controller_test.rb" "test/functional/admin/
> trackbacks_controll
> er_test.rb" "test/functional/admin/users_controller_test.rb" "test/
> functional/ad
> min/article_preview_test.rb" "test/functional/admin/
> pages_controller_test.rb" "t
> est/functional/admin/resources_controller_test.rb"
> /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:18:in
> `require__': no such file to load -- dns_mock (MissingSourceFile)
>          from /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:
> 18:in `require'
>          from /usr/lib/ruby/gems/1.8/gems/activesupport- 1.2.3/lib/
> active_support/dependencies.rb:214:in `require'
>          from ./test/functional/articles_controller_test.rb:3
>          from /usr/lib/ruby/gems/1.8/gems/activesupport-1.2.3/lib/
> active_support/dependencies.rb:207:in `load'
>          from /usr/lib/ruby/gems/1.8/gems/activesupport-1.2.3/lib/
> active_support/dependencies.rb:207:in `load'
>          from /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> rake_test_loader.rb:5
>          from /usr/lib/ruby/gems/1.8/gems/rake- 0.6.2/lib/rake/
> rake_test_loader.rb:5:in `each'
>          from /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> rake_test_loader.rb:5
> rake aborted!
> Test failures
>
>
>
> On 26 Nov 2005, at 16:45, Scott Laird wrote:
>
> > Argh!  It's supposed to be filtered.  What happens when you run
> > 'rake'?  There's are several XSS-related tests, do any tests fail?
> >
> >
> > Scott
> >
> > On Nov 26, 2005, at 8:28 AM, gpshewan wrote:
> >
> >> Not being a javascript expert, how much of a concern is Ticket #551
> >> that nikanorov just submitted?
> >>
> >>> Why when I add comment like ---comment---- <script> alert ("Typo
> >>> sucks"); </script> ---comment----
> >>>
> >>> it works? Are you kidding?
> >> And he's right ... it does.
> >>
> >> Gary
> >> _______________________________________________
> >> Typo-list mailing list
> >> Typo-list at rubyforge.org
> >> http://rubyforge.org/mailman/listinfo/typo-list
> >
> > _______________________________________________
> > Typo-list mailing list
> > Typo-list at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/typo-list
>
> _______________________________________________
> Typo-list mailing list
> Typo-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/typo-list
>



--
Micah Wylde
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/typo-list/attachments/20051126/eef33631/attachment-0001.htm


More information about the Typo-list mailing list