Code insertion in Blogger comments

From: Antone Roundy (antone_at_geckotribe.com)
Date: 03/29/05

  • Next message: Gadi Evron: "abuse & security issues > Israel" 
    Date: Mon, 28 Mar 2005 15:51:57 -0700
To: bugtraq@securityfocus.com

    Having notified Blogger of this twice over the course of a number of
    months, and not seeing them take any action (beyond saying that they'll
    look at it) or warn their users, I think it's time to warn people.
    Under the following conditions, Blogger weblogs are vulnerable to
    executable code insertion by third parties:

    * Comments must be enabled.
    * The server must support server-side processing, such as PHP, ASP,
    SSI, etc. (I'm pretty sure Blogspot-hosted blogs are NOT vulnerable).
    * The Archive Filename (in the Settings/Archiving tab) must have an
    extension which triggers server-side processing, such as .php, .asp,
    .shtml, etc. Depending on one's server configuration, files with
    extensions like .html and .htm may also be server-side-processed--no
    particular extension is necessarily safe.
    * It may be necessary to have individual post pages enabled (also in
    the Settings/Archiving tab)--I haven't checked where the comments go
    with that setting off.

    Under these circumstances, an attacker may inject executable code into
    the archive page by posting a comment to the weblog because, while
    Blogger automatically strips most HTML from comments, they do not strip
    processing instructions. Blogger should be stripping out EVERYTHING
    between a "<" and the next ">" unless it is one of the allowed HTML
    tags, or should be stripping all unapproved HTML and converting any
    remaining "<" characters that aren't part of approved HTML to &lt;.

    Antone Roundy
    antone@geckotribe.com

    RSS & Atom Tools: http://www.geckotribe.com/rss/
    RSS & Atom Feed Directory: http://chordata.geckotribe.com/

  • Next message: Gadi Evron: "abuse & security issues > Israel"

    Relevant Pages

    • Code insertion in Blogger comments
      ... Under the following conditions, Blogger ... The server must support server-side processing, such as PHP, ASP, ... particular extension is necessarily safe. ... Blogger automatically strips most HTML from comments, ...
      (Bugtraq)
    • Re: is anyone here going to help me??? does anyone here know anything at all???
      ... night for at least eight hours trying repair the HTML for the "Sockpuppets ... Blogger wouldn't even let me make repairs ... But the formatting problems for the entire web page were already there. ... IESOUS CHRISTOS THEOU YIOS SOTER ...
      (rec.gambling.poker)
    • Re: is anyone here going to help me??? does anyone here know anything at all???
      ... You don't have a clue how to use Outlook ... way that doesn't produce broken HTML. ... and paste from Outlook Express to the Blogger Compose window. ... If you are so fucking smart and know so fucking much -- Edit my template so ...
      (rec.gambling.poker)
    • mailing in html mode (using mutt and Blogger)
      ... So I'm trying to post blogs in Blogger from mutt. ... BUT if i write html ... In HTML mode, all HTML is interpreted as HTML. ...
      (comp.mail.mutt)
    • Re: Broken Steel DLC
      ... can play Broken Steel. ... How is it a pain? ... So does the extension to the level cap only kick in after you have completed ... Blogger - http://www.blogger.com/profile/14480997341376883177 ...
      (uk.games.video.misc)