Stored (Persistent) XSS on tumblr

Tumblr is vulnerable to a Stored (persistent) Cross Site Scripting Vulnerability, which I disclosed to them around 3 weeks ago, but it looks like its still not fixed.

Tumblr, stylized as tumblr., is a microblogging platform and social networking website, owned and operated by Tumblr, Inc. The service allows users to post multimedia and other content to a short-form blog, named a “tumblelog”. Users can follow other users’ blogs, as well as make their blogs private.Much of the website’s features are accessed from the “dashboard” interface, where the option to post content and posts of followed blogs appear. [Source: Wikipedia]

Last I checked, tumblr has 63.7 Million Blogs and 27 Billion Posts [http://www.tumblr.com/about] and which is why it is very discomforting to find an issue like XSS on a site that is ranked 35 on Alexa.

For the newbies, Cross Site Scripting is a vulnerability that arises if an application does not sanitize user input and sends it back to the browser without removing/encoding malicious characters. Malicious characters are any set of characters that a browser can use to render HTML or script content (,”,/> etc..). So, instead of displaying the user input, the browser will render/execute it depending on whether the input was HTML tagged content or script content.

XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user’s browser using automated frameworks like BeEF and download and execute exploits on the victim’s computer. Stored XSS is even more dangerous since the script is stored on the server and is executed everytime user visits an infected page. Several XSS based worms have been created in the past that have caused a lot of trouble on popular websites like Myspace and Orkut.

I will wait another week before posting the technical details here, in the mean time here are some screenshots for the curious:

Update [14 July 2012]:Tumblr has fixed the Stored XSS vulnerability, so here are the technical details as promised.

The XSS issue was on the  “Register Application” page at http://www.tumblr.com/oauth/apps. The application was not sanitizing user input when a user would create a new application. An XSS attack vector like tester”><img src=”x” /> would trigger an alert box, displaying the user’s cookie, in the browser.

Great work on the part of the Tumblr Security team in getting this fixed. I only hope they don’t wait 3 weeks before fixing something like this the next time.

 

PHP Parse error: syntax error, unexpected $end in on line – The Error and The Fix

While working on a test web application, last night, I hit upon the following error, which for a second had me lost.

I checked to see if I had the opening and the closing tags correct. Upon further investigation, I found that this was due to my using the “short tag” for PHP in the html_functions.php file. I normally use “” to close my PHP statements, but in this particular file, I had missed on the “php” and had accidentally used “<?" to open a statement.

As it is evident from the image, I use XAMPP to host test applications, when developing on Windows. To find more about this setting I did some reading on a specific setting in php.ini called “short_open_tag”. I opened the php.ini inside “c:\xampp\php\php.ini” – which is the default location for XAMPP, and searched for the “short_open_tag” setting. This specific setting was set to “off”, so the quickfix was to merely change the setting to “on”, restarting Apache and reloading the page. The setting in the php.ini finally looked like this:

short_open_tag = On

The following paragraph explains the setting better, taken from the php.ini file.

This directive determines whether or not PHP will recognize code between tags as PHP source which should be processed as such. It’s been recommended for several years that you not use the short tag “short cut” and instead to use the full tag combination. With the wide spread use of XML and use of these tags by other languages, the server can become easily confused and end up parsing the wrong code in the wrong context. But because this short cut has been a feature for such a long time, it’s currently still supported for backwards compatibility, but we recommend you don’t use them.

Default Value: On
Development Value: Off
Production Value: Off
http://php.net/short-open-tag


Problem solved, I spent the rest of the time I had on some fancy GUI and cookie monsters 😀