A couple of days ago, I discovered a bug in the Disqus Widget for Blogger.com (I haven't heard anything from them yet, even though I've provided them with a permanent solution that fixes the problematic code entirely. See end of blog entry.)
When a user adds this widget to his or her blog, a few lines of JavaScript and "Layout Data Tags" are included as well, to offer functionality to the widget.
One of these lines within a script tag in particular, is even vulnerable:
var disqus_blogger_current_url = '<data:blog.url/>';
<data:blog.url/>, outputs the current URL "somewhat". You can't submit custom GET-requests, but you can use the Search Form to submit data to this variable aka "Layout Data Tag" (which is often used in widgets).
This tag does not encode the following characters: ' / ! ( ) ? ; : _ , . - * $ @
Knowing this, we know that if <data:blog.url/> is used within a javascript variable, e.g. var x = '...'; Then it will most likely, be possible to inject javascript into this, as an attacker can simply inject: ';alert(0);' and the alert(0); statement, will execute.
Even within the default template with no widgets installed, it seems this tag is used here too:
<link href='http://itsnotabug.blogspot.com/search?q='Unescaped characters exist here too, including single quotes' rel='canonical'/>
It seems unlikely, but not impossible to exploit with the link tag above. (Depends on the browser.)
Anyway, by knowing this, and that the bug was also found in a widget / plugin to start with, it was clear that it had to be reported. Both to the Disqus developers, but also the Google Security Team, as this bug could've been prevented if they had sanitized single-quotes / apostrophes in the first place.
This was made very clear in the e-mail they received, including that if they would not encode single-quotes aka ' , then at least write on their developer pages that it is insecure to use single-quotes to encapsulate data.
Within a couple of hours I received the following message:
----------------------------------------------------------------
Hi MaXe,
Thank you for your note. We don't consider this is a vulnerability. Users
are permitted to place arbitrary JavaScript, Flash, Java, etc, in their
<username>.blogspot.com domains; this is by design. These domains are
fully isolated from other Google content, and therefore, the risk in
visiting them is no different to navigating to any other website on the
Internet.
Note that there are no authentication cookies or other sensitive
information in these domains; blog management is implemented on
blogger.com, instead.
You can read more about bugs that qualify for a reward here:
http://www.google.com/corporate/rewardprogram.html
Regards,
[Redacted], Google Security Team
----------------------------------------------------------------
[ Figure 1.1 - E-mail response from Google Security Team ]
After receiving this mail, I thought about it for a while and decided to create a test blog so you can see the bug in action, at least until they perhaps decide to encode single-quotes.
Simple Proof of Concept: http://itsnotabug.blogspot.com/search?q=%27%3Balert%280%29%3B%27
Second Proof of Concept: http://bit.ly/y1Ifxp
If you want to see the actual URL: http://bit.ly/y1Ifxp+
Disqus Widget Solution:
1. Go to: Blog Settings => Design => Edit HTML
2. Check [X] Expand Widget Templates
3. Search for: var disqus_blogger_current_url = '<data:blog.url/>';
4. Replace with: var disqus_blogger_current_url = "<data:blog.url/>";
5. Save, you're done. It's thankfully that easy in this case
References:
- http://disqus.com/
Best regards,
MaXe
Well, I just spent a while playing with this, its pretty simple GET req XSS
ReplyDeleteExample (RickRoll + XSS popup) is at http://tinyurl.com/723gp7x
Nice job MaXe, maybe they will fix now?
Nice one, and thanks. I'm not sure if they ever will, as vBulletin probably still has the same issue with custom BBCode tags which I also addressed a couple of years ago, well, 2011 or 2010 it probably was.
ReplyDeleteGoogle don't think it's a vulnerable to keep the developers in the dark about what's being encoded and what's not, and thereby allow developers to unknowingly develop insecure applications, there they thought input from user-data would've been sanitized as it should've been.
The good thing about the variable that I mentioned, is that it's not often used in ways that Disqus used it, which I'm glad about, but it's a shame Google doesn't encode single-quotes for unknown reasons, and furthermore, the developers of Disqus was almost _not_ going to fix this the XSS in their plugin, because they misunderstood what Google said, as they thought that XSS isn't dangerous when blogspot.com and blogger.com are different domains, and will therefore not allow disclosure of session cookies.
At least, so they say, but XSS should be fixed no matter what, unless it's intentional :-)