XSS Issue - Save the innocent MP users!


Original Post
Ryan Nevius · Jun 9, 2016 · Estes Park, Colorado · Joined Dec 2010 · Points: 824
I've discovered a cross-site scripting vulnerability which has to do with the way quotes are handled in image tag `src` attributes. As you've probably noticed...the background of this site is now black when you visit this thread. I've manage to do this with the following code:

<img=#'onerror=document.body.style.backgroundColor='#000>
As you probably realize, all quotes should be escaped when storing/displaying data that has been submitted by users. Good luck!

Ryan Nevius · Jun 9, 2016 · Estes Park, Colorado · Joined Dec 2010 · Points: 824
Ah, who could forget little Bobby Tables? A slightly different topic (SQL injection), but equally relevant.

Kent Richards · Jun 9, 2016 · Unknown Hometown · Joined Jan 2009 · Points: 3
If you honestly feel that it's a threat to users, then I recommend deleting your post and reporting it to the MP admin privately.

Ryan Nevius · Jun 9, 2016 · Estes Park, Colorado · Joined Dec 2010 · Points: 824
Why? It's better that users are aware of the issue, in this case. This isn't true of all vulnerabilities.

Rick Blair · Jun 9, 2016 · Denver · Joined Oct 2007 · Points: 163
Call up REI network security and tell them to scan your site with Web inspect or whatever tools they have. Take advantage of big daddy.

Kyle Ondy · Jun 9, 2016 · Somerset, NJ · Joined Sep 2015 · Points: 0
So much for responsible disclosure.

Ryan Nevius · Jun 9, 2016 · Estes Park, Colorado · Joined Dec 2010 · Points: 824
As a user, I reasonably expect a site to NOT have XSS vulnerabilities. If there is one that hasn't been fixed, I'd rather know about it. I'm positive that my responsible disclosure of this vulnerability isn't showing any would-be hackers how to do anything they wouldn't have already figured out. If this was something that would affect MP directly (such as SQL injection), I would have avoided creating a thread, and would have contacted the Admins.

Rick Blair · Jun 9, 2016 · Denver · Joined Oct 2007 · Points: 163
Kyle Ondy wrote:So much for responsible disclosure.
XSS is generally an attack on the user, the site is just a vehicle for the attack. Disclosure is for the victim of the attack not just the enabler.

Nick Wilder · Jun 9, 2016 · The Bubble · Joined Jan 2005 · Points: 1,521
Thanks for the notice; this should be fixed. Please continue to bask in your innocence.

Guideline #1: Don't be a jerk.

Post a Reply

Log In to Reply