Sunday, August 19, 2012

The Bug Which Wasn't A Bug

Dear members and guests of InterN0T,

Today it's a little bit over 7 months since I reported a bug to Google (http://intern0t.blogspot.com.au/2012/01/bug-which-isnt-bug.html) and for old times sake, I wanted to try out the proof of concept. Primarily because I like seeing "old" bugs I found, not getting fixed as they make me laugh.

Of course the purpose of reporting a bug is hoping they do get fixed, but as Google deemed this a non-bug in January 2012 I thought they would never encode apostrophes, and therefore be ignorant of the potential threat this minor bug in encoding could pose.

Apparently they fixed this bug within the last 3 months or so, meaning they apparently did deem it as a bug, but where am I on the Hall of Fame? I don't care about the monetary reward, but I do care about credit. Back in January 2012, Google only encoded quotes (") and angle brackets (<, >), but now they also encode apostrophes ('), meaning they definitely fixed the bug / updated their sanitisation function.

This naturally makes me annoyed to see Google acting this way, first saying it's not a bug, then fixing it a couple of months later without any notification. Next time I find a bug I probably won't be so kind to inform them first. Instead I will probably drop it as a 0day, as a reminder of giving credit where it should be given.

I know this is a dead blog, used primarily for emergency purposes only if InterN0T is down, but posting an entry here about this bug, will probably get more attention from Google than if I post it on InterN0T.



Best regards,
MaXe

Tuesday, January 17, 2012

The Bug Which Isn't a Bug

Dear members and guests of InterN0T,

A couple of days ago, I discovered a bug in the Disqus Widget for Blogger.com (I haven't heard anything from them yet, even though I've provided them with a permanent solution that fixes the problematic code entirely. See end of blog entry.)
When a user adds this widget to his or her blog, a few lines of JavaScript and "Layout Data Tags" are included as well, to offer functionality to the widget.

One of these lines within a script tag in particular, is even vulnerable:
var disqus_blogger_current_url = '<data:blog.url/>';

<data:blog.url/>, outputs the current URL "somewhat". You can't submit custom GET-requests, but you can use the Search Form to submit data to this variable aka "Layout Data Tag" (which is often used in widgets).

This tag does not encode the following characters: ' / ! ( ) ? ; : _ , . - * $ @

Knowing this, we know that if <data:blog.url/> is used within a javascript variable, e.g. var x = '...'; Then it will most likely, be possible to inject javascript into this, as an attacker can simply inject: ';alert(0);' and the alert(0); statement, will execute.

Even within the default template with no widgets installed, it seems this tag is used here too:
<link href='http://itsnotabug.blogspot.com/search?q='Unescaped characters exist here too, including single quotes' rel='canonical'/>

It seems unlikely, but not impossible to exploit with the link tag above. (Depends on the browser.)


Anyway, by knowing this, and that the bug was also found in a widget / plugin to start with, it was clear that it had to be reported. Both to the Disqus developers, but also the Google Security Team, as this bug could've been prevented if they had sanitized single-quotes / apostrophes in the first place.

This was made very clear in the e-mail they received, including that if they would not encode single-quotes aka ' , then at least write on their developer pages that it is insecure to use single-quotes to encapsulate data.

Within a couple of hours I received the following message:
----------------------------------------------------------------
Hi MaXe,

Thank you for your note. We don't consider this is a vulnerability. Users
are permitted to place arbitrary JavaScript, Flash, Java, etc, in their
<username>.blogspot.com domains; this is by design. These domains are
fully isolated from other Google content, and therefore, the risk in
visiting them is no different to navigating to any other website on the
Internet.

Note that there are no authentication cookies or other sensitive
information in these domains; blog management is implemented on
blogger.com, instead.

You can read more about bugs that qualify for a reward here:
http://www.google.com/corporate/rewardprogram.html

Regards,
[Redacted], Google Security Team
----------------------------------------------------------------
[ Figure 1.1 - E-mail response from Google Security Team ]


After receiving this mail, I thought about it for a while and decided to create a test blog so you can see the bug in action, at least until they perhaps decide to encode single-quotes.


Simple Proof of Concept: http://itsnotabug.blogspot.com/search?q=%27%3Balert%280%29%3B%27

Second Proof of Concept: http://bit.ly/y1Ifxp
If you want to see the actual URL: http://bit.ly/y1Ifxp+


Disqus Widget Solution:
1. Go to: Blog Settings => Design => Edit HTML
2. Check [X] Expand Widget Templates
3. Search for: var disqus_blogger_current_url = &#39;<data:blog.url/>&#39;;
4. Replace with: var disqus_blogger_current_url = &quot;<data:blog.url/>&quot;;
5. Save, you're done. It's thankfully that easy in this case


References:
- http://disqus.com/


Best regards,
MaXe

Thursday, January 12, 2012

12th January 2012 - Domain Issues

Dear members and guests of InterN0T,


We haven't given up, and we know that it's taking a long time, for some it is almost too long time, but we haven't given up. What troubles us the most is that after several attempts to make 1and1 release the domain back to us, they keep ignoring us it seems.

It has been a long struggle so far, and in one day they could actually destroy the domain by a mistake or by other imbecile means. We've mentioned several times that they've violated ICANN policy, and that they have no right to hold the domain "hostage" as they are still currently doing.

According to the ICANN policy, they must provide the domain owner with an authorization code and the means to unlock the domain, within 5 days of the request. That, is the official ICANN policy, that is above anything 1and1 can make up or say, their ToS, license, or anything they add to bend those rules.

The problem is, 1and1 and many other hosting providers that also functions as domain registrars, doesn't realise that it's actually "illegal" to break the ICANN policy like this, and I believe that if enough cases are made against them, they can be permanently banned as registrars.

Imagine they host 1 million domains and customers pay ~6$ per domain, that's 6 million dollars, and if people can't register domains at a hosting provider, why would most choose hosting as well at the same place. After being patient for so long, we're hoping that 1and1 and all other hosting providers breaking ICANN policy will fall this year. ICANN should step in and say stop, not just because of the case with InterN0T, but so many other cases where they break the policy.

As a UDRP case with ICANN will take even longer, we've waited to avoid this. But as time goes, this is soon going to be the road that we'll take, where we will report to ICANN that 1and1 won't release our intern0t.net domain. Suing 1and1 has even come to our mind, even though it would require funds we do not have available right now, but the time may come this year when we do.

But for now, we will focus on getting the site back, even though the forums will definitely not be up to date, as we couldn't find any recent backups, but the forums will return, as there is so much content we often need that is hard to find anywhere else.

Indeed it has taken too long time, and we probably should've worked harder, but running a website on a domain that could disappear from one day to another, is not something we wish for to happen, hence the reason we also bought intern0t.org.

By many thanks to a member of InterN0T we have good, stable, faster and reliable servers, where the hosting provider is fine with us hosting our forum on their servers. We're glad, that the "Anti-Hacker" madness has not yet taken over all hosting providers, as it seems more and more bans all websites related to hacking.



Best regards,
MaXe