del.icio.us doesn't care about security

Friday, December 8. 2006

Friday, December 8. 2006



When you report an XSS security problem in a web 2.0 site you usually assume it will get fixed as soon as possible. Obviously the guys at del.icio.us think different...


About a month ago I reported a XSS vulnerability to the people at del.icio.us that affects Internet Explorer users, which is most probably the most popular browser among its users. I got answered back by a guy from Yahoo that thanked for the report but now after about a month it is still not fixed.


The vulnerability exists because Internet Explorer trusts file extensions more than the content-type which results in one of their feeds beeing parsed as HTML. Of course this will allow JavaScript execution and this basically means this page here could add itself to your bookmarks. Could? Infact it just did if you are an Internet Explorer user and currently logged in to your del.icio.us account.


Update: This page no longer tries to add itself to your bookmarks because Yahoo, that of course claim to have never heard about this vulnerability, have fixed it now.

Posted by Stefan Esser in Security, PHP at 14:17
Comments (14)
Link to this post


Comments
Display comments as (Linear | Threaded)

#1 Edward ()
So the security problem is that some JavaScript may be run by IE in a web page? I'd hardly call that a security issue -- if you've got JavaScript enabled, this will happen for any web page.

I agree this could be an annoyance, but that's all. I'm not surprised that del.icio.us appear have filed this under 'minor bug'.
posted on Friday, December 8. 2006
#1.1 Christopher Kunz wrote (Link) ()
Heh, it's friday... I guess parts of your brain might be off for the weekend already ;-)
posted on Friday, December 8. 2006
#2 Stefan Esser wrote (Link) ()
Edward congratulation for winning the dumbo of the day award.

Where I live we call it a security issue when I can completely takeover your del.icio.us account.
posted on Friday, December 8. 2006
#3 Benjamin Bittner ()
@Stefan:
Although i love hardened php and absolutely respect everyone who works on it, i dont think its in any way appropriate to insult people like this.

@Edward:
I would never call anyone a dumbo, because of youre statement, but you should probably read something this blogpost again or read something regarding XSS.
Stefan wrote "and this basically means this page here could at itself to your bookmarks", so this clearly shows, that this is indeed a security problem. Just imagine with this "feature", an attacker could do everything in your del.icio.us account, just like he was you!
posted on Friday, December 8. 2006
#3.1 Stefan Esser wrote (Link) ()
Benjamin,

sorry but If this Edward is indeed a web application programmer and not only some anonymous blog comment troll, then there is only one good place for him. FAR AWAY from his keyboard.
posted on Friday, December 8. 2006
#3.1.1 Edward ()
Sorry - I misunderstood your original post.

I realise now that the bookmarking in IE you are talking about is interacting with a user's del.icio.us account. I thought you were simply talking about IE's window.external.AddFavorite method.
posted on Monday, December 11. 2006
#3.1.1.1 Stefan Esser wrote (Link) ()
Yeah, and I thought that you were making fun and were only trolling the comments like some other usually do. That's the problem with "pseudo" anonymous postings.
posted on Monday, December 11. 2006
#4 Rafael Dohms wrote (Link) ()
Thank god for fireFox!

Taht coment by Edward shows exactly why so many security problems go by uncorrected... NOT A SECURITY PROBLEM?

Ok, i'll go by adding som porn to your del.icio.us account.. that should go down well with the missus...

Stefan,
That is a really big sec breach, it amazes me also that they haven't fixed it, let's hope they open their eyes soon.
good "eyes"!
posted on Friday, December 8. 2006
#5 nEUrOO wrote (Link) ()
I guess there is lots of company like that out there.
I report a XSS hole on canalplus.fr (tv website), they didn't thank me and poorly fix the vulnerability (i.e. you can still exploit it with a small variant of the original XSS string)
posted on Friday, December 8. 2006
#6 Douglas Clifton wrote (Link) ()
Microsoft's browser is the issue here. The content-type header should always take precedence over file extensions, which is exactly why bad guys do things like attach scripting to what seems to be an image.

See "Reliability of URI metadata" from the W3C for more information:

http://www.w3.org/2001/tag/doc/metaDataInURI-31#erroneous
posted on Friday, December 8. 2006
#7 Toby Elliott wrote (Link) ()
Actually, the email I sent to you was :

"Thanks for bringing a vulnerability to our attention. Please do send us the details."

I would have loved to fix it, but I never heard back, so I have nothing to work with. If you can send along the details of the exploit, we'll get it fixed.

Regards,
Toby Elliott
Engineering Manager - del.icio.us
posted on Friday, December 8. 2006
#7.1 Stefan Esser wrote (Link) ()
Toby,

it is infact not my problem when you claim that you have not received a mail from me.

The details with an example exploit were sent directly after I received your email.

It is not my fault when Yahoo's mailservers are broken.

-sesser
posted on Saturday, December 9. 2006
#8 Toby Elliott wrote (Link) ()
Anyway, we were able to scrape enough details of this page to identify and fix it. Should be better now.
posted on Saturday, December 9. 2006
#9 enygma wrote (Link) ()
Oh, so this is what a post that allows comments looks like.
posted on Monday, December 11. 2006

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
 

Submitted comments will be subject to moderation before being displayed.
 
Calendar
Back November '08
Mon Tue Wed Thu Fri Sat Sun
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
Archives
November 2008
October 2008
September 2008
Recent...
Older...
Categories

All categories
Syndicate This Blog
Protected By

Hardening-Patch for PHP