Route Guide    Partners    Forum    Photos    What's New    Journal        
Sign Up  |   Log In:Login with Facebook
REI Community
XSS Issue - Save the innocent MP users!
View Latest Posts in This Forum or All Forums
Page 1 of 1.  
Follow replies to this topic? Notify me at the top of web site.
1

Email me.
 
Jun 9, 2016
Rock Climbing Photo: Mt. Agassiz
I've discovered a cross-site scripting vulnerability which has to do with the way quotes are handled in image tag `src` attributes. As you've probably noticed...the background of this site is now black when you visit this thread. I've manage to do this with the following code:

    <img=#'onerror=document.body.style.backgroundColor='#000>

As you probably realize, all quotes should be escaped when storing/displaying data that has been submitted by users. Good luck!
Ryan Nevius
From Estes Park, Colorado
Joined Dec 29, 2010
991 points
Jun 9, 2016
Rock Climbing Photo: Mt. Agassiz
Ah, who could forget little Bobby Tables? A slightly different topic (SQL injection), but equally relevant. Ryan Nevius
From Estes Park, Colorado
Joined Dec 29, 2010
991 points
Jun 9, 2016
If you honestly feel that it's a threat to users, then I recommend deleting your post and reporting it to the MP admin privately. Kent Richards
Joined Jan 10, 2009
81 points
Jun 9, 2016
Rock Climbing Photo: Mt. Agassiz
Why? It's better that users are aware of the issue, in this case. This isn't true of all vulnerabilities. Ryan Nevius
From Estes Park, Colorado
Joined Dec 29, 2010
991 points
Jun 9, 2016
Rock Climbing Photo: This is a novel auto blocking belay device.  I thi...
Call up REI network security and tell them to scan your site with Web inspect or whatever tools they have. Take advantage of big daddy. Rick Blair
From Denver
Joined Oct 16, 2007
376 points
Jun 9, 2016
So much for responsible disclosure. Kyle Ondy
From Somerset, NJ
Joined Sep 3, 2015
6 points
Jun 9, 2016
Rock Climbing Photo: Mt. Agassiz
As a user, I reasonably expect a site to NOT have XSS vulnerabilities. If there is one that hasn't been fixed, I'd rather know about it. I'm positive that my responsible disclosure of this vulnerability isn't showing any would-be hackers how to do anything they wouldn't have already figured out. If this was something that would affect MP directly (such as SQL injection), I would have avoided creating a thread, and would have contacted the Admins. Ryan Nevius
From Estes Park, Colorado
Joined Dec 29, 2010
991 points
Jun 9, 2016
Rock Climbing Photo: This is a novel auto blocking belay device.  I thi...
Kyle Ondy wrote:
So much for responsible disclosure.

XSS is generally an attack on the user, the site is just a vehicle for the attack. Disclosure is for the victim of the attack not just the enabler.
Rick Blair
From Denver
Joined Oct 16, 2007
376 points
Site Landlord
Jun 9, 2016
Rock Climbing Photo: Personal Photo
Thanks for the notice; this should be fixed. Please continue to bask in your innocence. Nick Wilder
From The Bubble
Joined Jan 1, 2005
2,149 points


Follow replies to this topic? Notify me at the top of web site.
1

Email me.
Page 1 of 1.