May 12th 2006

Basic XSS flaws in Warwick Blogs

For non-Warwick University students, Warwick Blogs is a service provided by the University which offers a blog for every student and member of staff.

For a system with over 4000 blogs I found it pretty alarming I could simply enter Javascript into the 'URL' field when entering a comment in order to inject it into the page, along with some other fairly trivial hyperlink-based injections based on their textile markup language.

However, what I found more alarming was that after I raised the issue with IT Services, they replied saying:

We are aware that there is a chance of the system being exploited in this way however it is against the acceptable use policy to do so and anyone who does will be penalised accordingly.

Riiight. All of the blogs I subscribe to on Warwick Blogs allow an anonymous user to post comments without moderation - how is this utopian security ideal going to help them? Admittedly, logged in users can be traced back to the student they originated from, but this would hardly be much of a deterrent - a victim wouldn't neccesarily connect their user account being compromised (say, via cookie theft) via a blog they read last week.

Anyway, after an email exchange IT Services seemed to understand that Anonymous Coward's don't have to agree-even implicity-to an Acceptable Use Policy to comment, yet alone follow one, so now the flaws have been fixed until someone with more than a 2-minute passing interest in XSS vulnerabilities has a go at the system.

No, that was not a hint.

You can subscribe to new posts via email or RSS.