Perl programmer for hire: download my resume (PDF).
John Bokma MexIT
freelance Perl programmer

Linux.com allows JavaScript via comments

Monday, December 17, 2007 | 0 comments

Today, "thanks" to a comment spam I received, I discovered that one can just post comments on linux.com containing JavaScript. The programmer who allowed for such a security hole should be very, very ashamed. At first I couldn't believe my eyes, but a very simple test showed me that it was indeed the case: at the time of writing anybody can post JavaScript on Linux.com via their comment system. Of course I contacted linux.com via email as soon as I discovered this issue.

Linux.com JavaScript injection via comment (source).
Linux.com JavaScript injection via comment (source).

The above screendump shows the source of a comment I posted. It contains a very simple piece JavaScript which redirects the browser to example.com. Because the script element is added to the HTML of the page on Linux.com without any post-processing, anybody can add JavaScript via the comment system, JavaScript that's way less harmless compared to this small example.

Linux.com JavaScript injection via comment (JavaScript off).
Linux.com JavaScript injection via comment (JavaScript off).

The above screendump shows how the comment appears on Linux.com.

HTTP headers showing the redirect worked.
HTTP headers showing the redirect worked.

Also today

Please post a comment | read 0 comments | RSS feed