mailing list archives
The Bug Which Isn't a Bug
From: InterN0T Advisories <advisories () intern0t net>
Date: Tue, 17 Jan 2012 19:23:53 -0500
Dear "Full Disclosers".
A couple of days ago, I discovered a bug in the Disqus Widget for
Blogger.com (I haven't heard anything from them yet, even though I've
provided them with a permanent solution that fixes the problematic code
entirely. See end of blog entry via the link.)
and "Layout Data Tags" are included as well, to offer functionality to the
One of these lines within a script tag in particular, is even vulnerable:
var disqus_blogger_current_url = '<data:blog.url/>';
<data:blog.url/>, outputs the current URL "somewhat". You can't submit
custom GET-requests (afaik), but you can use the Search Form to submit data
to this variable aka data:blog.url "Layout Data Tag" (which is often used
This tag does not encode the following characters: ' / ! ( ) ? ; : _ , . -
* $ @
variable, e.g. var x = '...'; Then it will most likely, be possible to
and the alert(0); statement, will be executed.
For more information and live PoC's please visit:
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- The Bug Which Isn't a Bug InterN0T Advisories (Jan 18)