Hacking Slandr: XSS and CSRF vulnerabilities patched
Last sunday I received an alarming email from Aviv Raff (@avivra on Twitter). This is what he wrote:
Slandr suffers from XSS and CSRF vulnerabilities. The m.slandr.net
search page does not encode HTML entities in the search form field,
which can allow the injection of scripts. Also, the update form on the
index.php page does not use authenticity code in order to validate
that the HTTP request post is coming from the slandr web application.
As this can be used by an attacker to create a Twitter worm, it would
be great if you can fix this vulnerability as soon as possible.
I’m going to publish information about this vulnerability as part of
“Month of Twitter Bugs” initiative …. (…)
Aviv was so kind to attach two links proofing his concept :D. After carefully analyzing his suggestions I implemented various fixes, to ensure maximum security on Slandr Mobile Twitter once again. Please note that these vulnerabilities have not been exploited.
For you tech-savvies and interested people out there: The fixes I implemented vary from using htmlentites()-encoding on more spots in the code, to token-based-solutions to check POSTs are coming from Slandr itself rather than from third pary (malicious) websites. Inspiration for the CSRF-fix came from Chris Siflett’s post on Cross Site Request Forgeries and OWASP on CSRF. At first I tried implementing the CSRF-magic fix. With this php-class only a single include protects every form against CSRF injections. A great solution to quickly safeguard your site once again however it did not go well with existing Slandr code..
So thanks once again Aviv for pointing out these weak spots in Slandr Mobile Twitter! Happy Slandring once again!
