[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LiveJournal XSS




LiveJournal (www.livejournal.org), an open source software package used to 
create popular Internet journals such as LiveJournal (www.livejournal.com) and 
DeadJournal (www.deadjournal.com), is vulnerable to an XSS vulnerability which 
allows an attacker to execute script code in a user's browser.

The vulnerability arises out of insufficient sanitization of a user-supplied 
URL pointing to an image that they wish to display as their journal's 
background. If we were to use the string "www.google.com" as our URL, the 
following would be inserted into our journal's stylesheet:

body { background-image: url(www.google.com); }

While LiveJournal removes all markup from this string, it does not filter out 
parentheses or semicolons, thus allowing us to insert JavaScript code into the 
stylesheet. For example:

); background:url(javascript:alert("XSS!")

If we were to submit the above as our URL, this is what would be inserted into 
the stylesheet:

body { background-image: url(); background:url(javascript:alert("XSS!")); }

Obviously, this presents a wide range of possible attack methods (redirection, 
cookie stealing, etc.) The injected code is executed when a victim view's the 
journal of the attacker. I discovered this vulnerability on Wednesday, Feburary 
18, 2004.