Arbitrary (javascript) code injection allowed through profile page

[Chronoshock]

There is no form validation in the profile page, allowing for execution of arbitrary JS (think redirects, cookies, etc.). PM me for full details, but I assume anyone who's part of the avatar modifying spree on OT will know what it is.

 

[Cogman]

agreed that this is a fairly serious issue (Though nobody has tried anything with it yet).

 

[olds]

Originally posted by: Chronoshock
There is no form validation in the profile page, allowing for execution of arbitrary JS (think redirects, cookies, etc.). PM me for full details, but I assume anyone who's part of the avatar modifying spree on OT will know what it is.

LoKe?

 

[esquared]

I have locked the thread and stickied it in OT. Anyone continuing this after 7:05 PM PST will be vacationed.


esquared
Anandtech Senior Moderator

 

[Red Squirrel]

Yeah while is funny and that thread was fun, this could be dangerous. I am not sure if it escapes < > and " properly but I did not really want to try. I have a big feeling it does not.

To put into perspective someone could steal cookies, which means gaining access to any user's session (even a mod or admin). I hope I'm not saying too much here, but just putting into perspective how dangerous this is.

 

[Cogman]

Originally posted by: esquared
I have locked the thread and stickied it in OT. Anyone continuing this after 7:05 PM PST will be vacationed.


esquared
Anandtech Senior Moderator

While a stiff warning and all is good, this really should be fixed in the code as well. The code for removing this security flaw is fairly simple to implement and could prevent a large amount of future discoveries.

 

[paulney]

Originally posted by: RedSquirrel
I am not sure if it escapes < > and " properly

It doesn't.

 

[Newbian]

Once people were breaking the forums with large images you knew things were coming to a end fast.

 

[newnameman]

No more RoboHelp?

 

[Newbian]

Originally posted by: newnameman
No more RoboHelp?

Lol, you are pushing it man.

 

[Chronoshock]

Just to note... malicious behavior could be entirely transparent to its victims. It's not easy to detect when this has been abused, so it needs to fixed proactively, not reactively.

 

[Cogman]

Originally posted by: RedSquirrel
Yeah while is funny and that thread was fun, this could be dangerous. I am not sure if it escapes < > and " properly but I did not really want to try. I have a big feeling it does not.

To put into perspective someone could steal cookies, which means gaining access to any user's session (even a mod or admin). I hope I'm not saying too much here, but just putting into perspective how dangerous this is.

agreed, there is a VERY large amount of things that could be done with this. and a lot of them could be implemented in such a way that we would never actually see the code being executed. It is a very dangerous flaw to have (Not like harmless timewarps)

 

[benzylic]

Originally posted by: RedSquirrel
To put into perspective someone could steal cookies, which means gaining access to any user's session (even a mod or admin). I hope I'm not saying too much here, but just putting into perspective how dangerous this is.

Isnt that how LoKe got into the mod account, stealing cookies?

 

[olds]

Originally posted by: mxrider

Originally posted by: RedSquirrel
To put into perspective someone could steal cookies, which means gaining access to any user's session (even a mod or admin). I hope I'm not saying too much here, but just putting into perspective how dangerous this is.

Isnt that how LoKe got into the mod account, stealing cookies?

Why didn't I say that? Oh, wait.

 

[Drakkon]

I love the reaction - rather than focus on the problem they just don't want us using non-standard avatars - brilliant!

What is to say I save a copy of a "good" avatar - upload it to my own domain - and use it instead? It would look the same but imagine the possibilities....

 

[IEC]

Originally posted by: RedSquirrel
Yeah while is funny and that thread was fun, this could be dangerous. I am not sure if it escapes < > and " properly but I did not really want to try. I have a big feeling it does not.

To put into perspective someone could steal cookies, which means gaining access to any user's session (even a mod or admin). I hope I'm not saying too much here, but just putting into perspective how dangerous this is.

It doesn't, and is a "showstopping" issue. OP even demonstrated a proof of concept, but thankfully did not share how to do it.

 

[GodlessAstronomer]

Guys this is a BIG DEAL and goes way beyond off-site avatars. Arbitrary JS leaves every user here potentially exposed to cross site scripting attacks. I haven't looked into the details but this is a major concern if what the OP says is true.

 

[MmmSkyscraper]

LOL at FailTalk.

 

[Kadarin]

Oh dear lord FuseTalk is such a steaming pile of shit...

 

[shortylickens]

Sooooooo, how many people got beat with the ban stick?

 

[Crono]

Not to incite any attacks, but I would rather have people (white hats, if you prefer) exploiting the system en masse now with "proof of concept" exploitation and forcing AT staff to fix it rather than someone maliciously exploiting it at any random time.

Assuming it would be fixed quickly by AT staff...

 

[Platypus]

Easy potential for contained XSS with this, without saying more it'd be quite possible for someone with an admin account to simply view a thread that a malicious user has posted in and it would be all over. I'm sure you guys remember the last time this happened.

This is a SERIOUS serious issue, all kidding and avatar switching aside, and honestly everyone should install something like noscript immediately.
http://noscript.net/

 

[Crono]

Originally posted by: Platypus
Easy potential for contained XSS with this, without saying more it'd be quite possible for someone with an admin account to simply view a thread that a malicious user has posted in and it would be all over. I'm sure you guys remember the last time this happened.

This is a SERIOUS serious issue, all kidding and avatar switching aside, and honestly everyone should install something like noscript immediately.
http://noscript.net/

I agree, but unfortunately there aren't enough people who can fix the problem. I think it's just Derek Wilson, and he apparently has his hands full with vB (Can't confirm this, he might just have his hands full with joints :wink; ).

I'm thinking we should make a big signed petition, and let Anand know that the forums need more support for technical stuff like this and the vB switch. I know he isn't making a huge amount of money from the forums, but many of us do visit the main site, and you would think that a little security would be a big issue on computer forums run by tech experts.

I'd make a petition, but I don't carry enough weight. If it were mod made, and supported by most/all of the forum staff, maybe we could get stuff done.

 

[Platypus]

petitions don't do shit, FT is full of awful code and I'm not entirely sure what relationship AT has with FT... if they're a paying client it should be up to FT to release a patch.

Perhaps they can disable avatars for the time being...? Though I'm sure there are other unchecked buffers in it that most likely have the same issue.

I feel sorry for the powers that be here since their hands are kind of bound but seriously this should be a priority or the forums should just be shut down until they can fix it.

 

[olds]

If our personal PCs are at risk we should all log out till it's fixed.