SUMMARY ---------------------------------------------------------------------- The popular Livejournal[1] social networking software contained an error which allowed for the inclusion of Javascript in user-supplied content. [1] http://www.livejournal.org/, http://www.livejournal.com/ BACKGROUND ---------------------------------------------------------------------- "LiveJournal is an online journal service with an emphasis on user interaction."[2] It has historically had a relatively restrictive attitude toward user-supplied web content, opting to not allow users to include active content such as embedded plugins and scripts. This attitude has generally prevented the creation and spread of malicious content, such as the two worms which appeared on MySpace in recent months. However, this position also requires that content be carefully parsed - and a recent discovery showed that their code has its issues. [2] http://www.livejournal.com/support/faqbrowse.bml?faqid=56 DESCRIPTION ---------------------------------------------------------------------- Livejournal parses all user-supplied HTML through a script called cleanhtml.pl (located at livejournal/cgi-bin/cleanhtml.pl). All HTML attributes containing the literal text 'javascript' are stripped by default. However, if the cleancss option is enabled - which it is in most installations, including the one at livejournal.com - style attributes will have slashes stripped after the check for the text 'javascript' is made, causing a style property containing the text 'java\script' to be modified to 'javascript' and passed through. As many web browsers allow "javascript:" to be used as a pseudo-URI, this allows for the creation of content that will execute arbitrary script code on a user's browser when viewed. For example, the HTML content test will be accepted by an unpatched LiveJournal installation; the slash will be removed, causing a dialog to be displayed when the content is viewed. FIXES ---------------------------------------------------------------------- As of 7 Dec 2005, LiveJournal CVS contains a fix to this issue: cleanhtml.pl now searches for the text 'javascript' in CSS *after* stripping slashes: > --- cgi-bin/cleanhtml.pl 22 Oct 2005 03:17:05 -0000 1.129 > +++ cgi-bin/cleanhtml.pl 7 Dec 2005 08:50:41 -0000 1.130 > @@ -319,7 +319,7 @@ > $hash->{$attr} =~ s/\\//g; > > # and catch the obvious ones ("[" is for > things like document["coo"+"kie"] > - foreach my $css ("/*", "[", qw(absolute > fixed expression eval behavior cookie document window)) { > + foreach my $css ("/*", "[", qw(absolute > fixed expression eval behavior cookie document window javascript)) { > if ($hash->{$attr} =~ /\Q$css\E/i) { > delete $hash->{$attr}; > next ATTR; All sites using the LiveJournal code are urged to upgrade, or apply this patch, as soon as possible. ACKNOWLEDGEMENTS ---------------------------------------------------------------------- The author would like to acknowledge Hoshikuzu Stardust (st4rdust at gmail.com) for reporting a related issue involving the escaping of control characters in CSS; this vulnerability was discovered during experimentation and testing regarding that issue. HISTORY ---------------------------------------------------------------------- Discovery: circa 5 Dec 2005 Vendor notified: 5 Dec 2005 Patch implemented: 7 Dec 2005 Public disclosure: 19 Dec 2005 AUTHOR ---------------------------------------------------------------------- Andrew Farmer is a student at Harvey Mudd College.