Security Advisory KM-2004-01: Cross-Site Scripting in Blosxom writeback

Affected Application:
Blosxom (http://www.blosxom.com)

Severity: Medium to high (typical XSS impacts)

Introduction:
Blosxom, a weblog tool, has an optionally-installable plugin commonly
used for allowing users to post comments or trackbacks to entries in a
weblog, called writeback
(http://www.blosxom.com/plugins/input/writeback.htm). The filtering
function in all Blosxom 2.0 writeback version,s including the latest
(2004-02-19), is vulnerable to a simple bypass, allowing attackers to
embed scripts in their comment that will be run by any client viewing
the page.

Discussion:
In the writeback plugin, the code to filter out tags is a simple regular
expression: "s/<.*?>//mg". So entering scripts as
"<script>alert('test');</script>" will get filtered into
"alert('test');" and no code will be executed by the client.

This allows a straightforward bypass by using carriage returns before
the closing bracket in the script tags, so that the tags do not meet the
regular expression but are still interpreted as tags by browsers.
Additional bypassing methods may be possible using the existing
filtering.

Impact:
Attackers can take any action that the client permits the site to do,
including retrieving any cookies used on the site (even if they are not
Blosxom-related), exploiting browser vulnerabilities, rewriting the
page, etc. The overall impact of XSS vulnerabilities is well-known; see
References below if needed.

Solution:
Implement a more robust filtering scheme. One alternative would be to
replace "<" and ">" characters with "<" and ">" and other
sensitive characters with the appropriate HTML entities. Another would
be to only allow certain characters, such as alphanumerics and a few
additions. See References below if needed. An additional solution has
been proposed by Ivan Grynov at
http://groups.yahoo.com/group/blosxom/message/8034. The author has
chosen not to implement these solutions at this time, though the code is
undergoing a complete overhaul and may thus not be vulnerable in 3.0

A copy of this advisory (including very simple proof-of-concept code) is
available at
http://kylem.xwell.org/blosxom.cgi/tech/security/km-2004-01.html.
Additionally, a patch using HTML::Entities is available at 
http://kylem.xwell.org/wb.patch.

References:
http://www.cert.org/tech_tips/malicious_code_mitigation.html
http://www.technicalinfo.net/papers/CSS.html
http://www.perl.com/pub/a/2002/02/20/css.html