A couple of days ago, I discovered a bug in the Disqus Widget for Blogger.com (I haven't heard anything from them yet, even though I've provided them with a permanent solution that fixes the problematic code entirely. See end of blog entry.)
When a user adds this widget to his or her blog, a few lines of JavaScript and "Layout Data Tags" are included as well, to offer functionality to the widget.
One of these lines within a script tag in particular, is even vulnerable:
var disqus_blogger_current_url = '<data:blog.url/>';
<data:blog.url/>, outputs the current URL "somewhat". You can't submit custom GET-requests, but you can use the Search Form to submit data to this variable aka "Layout Data Tag" (which is often used in widgets).
This tag does not encode the following characters: ' / ! ( ) ? ; : _ , . - * $ @
Knowing this, we know that if <data:blog.url/> is used within a javascript variable, e.g. var x = '...'; Then it will most likely, be possible to inject javascript into this, as an attacker can simply inject: ';alert(0);' and the alert(0); statement, will execute.
Even within the default template with no widgets installed, it seems this tag is used here too:
<link href='http://itsnotabug.blogspot.com/search?q='Unescaped characters exist here too, including single quotes' rel='canonical'/>
It seems unlikely, but not impossible to exploit with the link tag above. (Depends on the browser.)
Anyway, by knowing this, and that the bug was also found in a widget / plugin to start with, it was clear that it had to be reported. Both to the Disqus developers, but also the Google Security Team, as this bug could've been prevented if they had sanitized single-quotes / apostrophes in the first place.
This was made very clear in the e-mail they received, including that if they would not encode single-quotes aka ' , then at least write on their developer pages that it is insecure to use single-quotes to encapsulate data.
Within a couple of hours I received the following message:
----------------------------------------------------------------
Hi MaXe,
Thank you for your note. We don't consider this is a vulnerability. Users
are permitted to place arbitrary JavaScript, Flash, Java, etc, in their
<username>.blogspot.com domains; this is by design. These domains are
fully isolated from other Google content, and therefore, the risk in
visiting them is no different to navigating to any other website on the
Internet.
Note that there are no authentication cookies or other sensitive
information in these domains; blog management is implemented on
blogger.com, instead.
You can read more about bugs that qualify for a reward here:
http://www.google.com/corporate/rewardprogram.html
Regards,
[Redacted], Google Security Team
----------------------------------------------------------------
[ Figure 1.1 - E-mail response from Google Security Team ]
After receiving this mail, I thought about it for a while and decided to create a test blog so you can see the bug in action, at least until they perhaps decide to encode single-quotes.
Simple Proof of Concept: http://itsnotabug.blogspot.com/search?q=%27%3Balert%280%29%3B%27
Second Proof of Concept: http://bit.ly/y1Ifxp
If you want to see the actual URL: http://bit.ly/y1Ifxp+
Disqus Widget Solution:
1. Go to: Blog Settings => Design => Edit HTML
2. Check [X] Expand Widget Templates
3. Search for: var disqus_blogger_current_url = '<data:blog.url/>';
4. Replace with: var disqus_blogger_current_url = "<data:blog.url/>";
5. Save, you're done. It's thankfully that easy in this case
References:
- http://disqus.com/
Best regards,
MaXe
