Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

LiveJournal XSS
From: Joshua Miller <jpmiller () tds net>
Date: 19 Feb 2004 21:18:49 -0000


LiveJournal (www.livejournal.org), an open source software package used to create popular Internet journals such as 
LiveJournal (www.livejournal.com) and DeadJournal (www.deadjournal.com), is vulnerable to an XSS vulnerability which 
allows an attacker to execute script code in a user's browser.

The vulnerability arises out of insufficient sanitization of a user-supplied URL pointing to an image that they wish to 
display as their journal's background. If we were to use the string "www.google.com" as our URL, the following would be 
inserted into our journal's stylesheet:

body { background-image: url(www.google.com); }

While LiveJournal removes all markup from this string, it does not filter out parentheses or semicolons, thus allowing 
us to insert JavaScript code into the stylesheet. For example:

); background:url(javascript:alert("XSS!")

If we were to submit the above as our URL, this is what would be inserted into the stylesheet:

body { background-image: url(); background:url(javascript:alert("XSS!")); }

Obviously, this presents a wide range of possible attack methods (redirection, cookie stealing, etc.) The injected code 
is executed when a victim view's the journal of the attacker. I discovered this vulnerability on Wednesday, Feburary 
18, 2004.

  By Date           By Thread  

Current thread:
  • LiveJournal XSS Joshua Miller (Feb 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]