Code insertion in Blogger comments
Having notified Blogger of this twice--once early last October and
again mid-January of this year--and not seeing them take any action
(beyond saying that they'll look at it) or warn their users, I think
it's time to warn people. Under the following conditions, Blogger
weblogs are vulnerable to executable code insertion by third parties:
* Comments must be enabled.
* The server must support server-side processing, such as PHP, ASP,
SSI, etc. (I'm pretty sure Blogspot-hosted blogs are NOT vulnerable).
* The Archive Filename (in the Settings/Archiving tab) must have an
extension which triggers server-side processing, such as .php, .asp,
.shtml, etc. Depending on one's server configuration, files with
extensions like .html and .htm may also be server-side-processed--no
particular extension is necessarily safe.
* It may be necessary to have individual post pages enabled (also in
the Settings/Archiving tab)--I haven't checked where the comments go
with that setting off.
Under these circumstances, an attacker may inject executable code into
the archive page by posting a comment to the weblog because, while
Blogger automatically strips most HTML from comments, they do not strip
processing instructions. Blogger should be stripping out EVERYTHING
between a "<" and the next ">" unless it is one of the allowed HTML
tags, or should be stripping all unapproved HTML and converting any
remaining "<" characters that aren't part of approved HTML to <.
Antone Roundy
antone@xxxxxxxxxxxxxx
RSS & Atom Tools: http://www.geckotribe.com/rss/
RSS & Atom Feed Directory: http://chordata.geckotribe.com/