Advogato XSS Virus

Correspondence

This account was posted on http://www.advogato.org/:

Posted 21 Sep 2002 by mascot (Journeyer)

A warning: someone has been playing around with Advogato, and has come up with something I can only think of as an Advogato virus. It spreads each time you visit this person's page - or even the People index!

The virus works because Advogato doesn't check for disallowed HTML in your first and last names. This person - using accounts ttt, tttt, ttt1, and ttt2 - has placed an iframe and some clever Javascript in their first name field, which will automatically update the account of any visitor so that their name fields also contain the iframe.

Since the name fields are displayed not only on the personal page, but also on the People index, the virus will spread to anyone who visits this index. I suspect that this will spread quite fast. Of course, it's very easy to disinfect your account - simply go into your Account page and re-enter your first and last name. It would probably also be to fix Advogato, to stop this particular exploit from happening again.

But this article was posted partly as a warning, and partly to pose a question: Will any website ever be totally attack-proof?

Should be fixed now, posted 21 Sep 2002 by raph

I just committed a patch and made it live. This runs all names through nice_text() when being rendered to HTML.

Thanks for the heads-up!

To check or not to check, posted 22 Sep 2002 by garym

I must confess a curious feeling on reading the headline in my Peerkat display this morning: If the website is infected, but you have to go to the website to read the news of the infection (and presumably the fix too), isn't that a bit of a quandry? If I follow the text, I might get infected by the story having been infected by infected accounts reading it, or the story itself may be a trojan lure.

Ok, I didn't take those fears seriously, but they did flash through my mind on reading the headlines. In the end I figured, "How bad could a website hack on a Linux client actually be?" and did the click through.

disinfection, posted 23 Sep 2002 by Denny

raph, did you disinfect the database after you patched, or should people re-enter their names to be sure?

~denny

Re: disinfection, posted 24 Sep 2002 by mascot

It seems that the database was disinfected (or something else happened to stop the virus appearing).

But the quick way to tell if you're infected was to go to your personal page; if a box containing a load of text appears in place of your name, then you're infected and you need to re-enter your name. (The virus didn't hide itself at all; if your name looks right then you don't have the virus.)