Code insertion in Blogger comments

The following dropped into my email today. If you aren’t particularly technically inclined, this is essentially a security problem with Blogger whereby anyone can run malicious code on the Web server hosting your blog. This is quite the serious security issue, and although Blogger has been notified of the issue, they haven’t corrected it yet. If you’re on Blogger, consider yourself warned. (I have removed the poster’s email address for obvious reasons. If you need it, get it from the mailing list archives.)

Date: Mon, 28 Mar 2005 15:51:57 -0700
Subject: Code insertion in Blogger comments
From: Antone Roundy <antone@>
To: bugtraq@securityfocus.com

Having notified Blogger of this twice over the course of a number of months, and not seeing them take any action (beyond saying that they’ll look at it) or warn their users, I think it’s time to warn people. Under the following conditions, Blogger weblogs are vulnerable to executable code insertion by third parties:

  • Comments must be enabled.
  • The server must support server-side processing, such as PHP, ASP, SSI, etc. (I’m pretty sure Blogspot-hosted blogs are NOT vulnerable).
  • The Archive Filename (in the Settings/Archiving tab) must have an extension which triggers server-side processing, such as .php, .asp, .shtml, etc. Depending on one’s server configuration, files with extensions like .html and .htm may also be server-side-processed’no particular extension is necessarily safe.
  • It may be necessary to have individual post pages enabled (also in the Settings/Archiving tab)’I haven’t checked where the comments go with that setting off.

Under these circumstances, an attacker may inject executable code into the archive page by posting a comment to the weblog because, while Blogger automatically strips most HTML from comments, they do not strip processing instructions. Blogger should be stripping out EVERYTHING between a “<” and the next “>” unless it is one of the allowed HTML tags, or should be stripping all unapproved HTML and converting any remaining “<” characters that aren’t part of approved HTML to &lt;.

Antone Roundy
antone@

RSS & Atom Tools: http://www.geckotribe.com/rss/
RSS & Atom Feed Directory: http://chordata.geckotribe.com/