SUMMARY
----------------------------------------------------------------------
The popular Livejournal[1] social networking software contained an
error which allowed for the inclusion of Javascript in user-supplied
content.

[1] http://www.livejournal.org/, http://www.livejournal.com/


BACKGROUND
----------------------------------------------------------------------
"LiveJournal is an online journal service with an emphasis on user
interaction."[2] It has historically had a relatively restrictive
attitude toward user-supplied web content, opting to not allow users
to include active content such as embedded plugins and scripts. This
attitude has generally prevented the creation and spread of malicious
content, such as the two worms which appeared on MySpace in recent
months. However, this position also requires that content be carefully
parsed - and a recent discovery showed that their code has its issues.

[2] http://www.livejournal.com/support/faqbrowse.bml?faqid=56


DESCRIPTION
----------------------------------------------------------------------
Livejournal parses all user-supplied HTML through a script called
cleanhtml.pl (located at livejournal/cgi-bin/cleanhtml.pl). All HTML
attributes containing the literal text 'javascript' are stripped by
default. However, if the cleancss option is enabled - which it is in
most installations, including the one at livejournal.com - style
attributes will have slashes stripped after the check for the text
'javascript' is made, causing a style property containing the text
'java\script' to be modified to 'javascript' and passed through. As
many web browsers allow "javascript:" to be used as a pseudo-URI, this
allows for the creation of content that will execute arbitrary script
code on a user's browser when viewed.

For example, the HTML content

<span style="background:url('javas\cript:(function
  x(){alert("boo")})();');">test</span>

will be accepted by an unpatched LiveJournal installation; the slash
will be removed, causing a dialog to be displayed when the content is
viewed.


FIXES
----------------------------------------------------------------------
As of 7 Dec 2005, LiveJournal CVS contains a fix to this issue:
cleanhtml.pl now searches for the text 'javascript' in CSS *after*
stripping slashes:

> --- cgi-bin/cleanhtml.pl  22 Oct 2005 03:17:05 -0000  1.129
> +++ cgi-bin/cleanhtml.pl  7 Dec 2005 08:50:41 -0000  1.130
> @@ -319,7 +319,7 @@
>                          $hash->{$attr} =~ s/\\//g;
>
>                          # and catch the obvious ones ("[" is for  
> things like document["coo"+"kie"]
> -                        foreach my $css ("/*", "[", qw(absolute  
> fixed expression eval behavior cookie document window)) {
> +                        foreach my $css ("/*", "[", qw(absolute  
> fixed expression eval behavior cookie document window javascript)) {
>                              if ($hash->{$attr} =~ /\Q$css\E/i) {
>                                  delete $hash->{$attr};
>                                  next ATTR;

All sites using the LiveJournal code are urged to upgrade, or apply
this patch, as soon as possible.


ACKNOWLEDGEMENTS
----------------------------------------------------------------------
The author would like to acknowledge Hoshikuzu Stardust (st4rdust at
gmail.com) for reporting a related issue involving the escaping of
control characters in CSS; this vulnerability was discovered during
experimentation and testing regarding that issue.


HISTORY
----------------------------------------------------------------------
Discovery: circa 5 Dec 2005

Vendor notified: 5 Dec 2005

Patch implemented: 7 Dec 2005

Public disclosure: 19 Dec 2005


AUTHOR
----------------------------------------------------------------------
Andrew Farmer is a student at Harvey Mudd College.