Twitter among web apps affected by patched XSS bug

By on

Flaw lies in "escaping code".

The makers of an open-source web application framework, on which popular programs such as Twitter are constructed, has issued a patch for a major cross-site scripting vulnerability.

Ruby on Rails last week issued an advisory that said the flaw lies "in the escaping code for the [framework's] 'form helpers'...Attackers who can inject deliberately malformed Unicode strings into the form helpers can defeat the escaping checks and inject arbitrary HTML."

Versions 2.0 and later are impacted.

Researcher Brian Mastenbrook, who discovered the bug, said in a blog post that the issue affects at least Twitter and business web applications produced by 37signals, which include Basecamp, Highrise, Backpack and Campfire. He decided to conduct tests on those applications after noticing a vulnerability in the Unicode character encoding standard a few weeks ago.

"I suddenly had an idea: 'I wonder if there are any web applications which have Unicode handling problems that might be security issues?'" he wrote. "A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of Twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of."

Mastenbrook said Twitter fixed the problem itself, but 37signals referred him, after repeated requests, to Ruby on Rails to solve the issue.

"Web application security is still an immature field, and many of the layers are sufficiently poorly designed that issues like this will pop up for a good long while," Mastenbrook wrote. "Just like buffer overflows have been a weak spot for C [code] security long as the internet has been around, escaping issues will continue to be a weak spot for web security for as long as we're afflicted with this particular architecture."

Mastenbrook suggested all browsers should contain cross-site scripting filtering functionality, as is present, at least in a limited form, in Internet Explorer 8.

See original article on scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
application bug cross patched scripting security site twitter vulnerability web xss
In Partnership With

Most Read Articles

Telstra confronts "really abysmal" reality of customer gripes

Telstra confronts "really abysmal" reality of customer gripes
Victorians flock to Google Pay myki alternative

Victorians flock to Google Pay myki alternative
NSW Police core systems director departs with immediate effect

NSW Police core systems director departs with immediate effect
Bunnings floors it on digital store rollout

Bunnings floors it on digital store rollout
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Your mobile devices may not be secure – learn how to fix that
Your mobile devices may not be secure – learn how to fix that
Don’t risk your business – learn how to protect your cloud assets
Don’t risk your business – learn how to protect your cloud assets
Accelerate your cloud adoption - Go Fast, Securely
Accelerate your cloud adoption - Go Fast, Securely
Lessons Learnt - The Unisys Cloud Migration Journey – a digital transformation case study
Lessons Learnt - The Unisys Cloud Migration Journey – a digital transformation case study
How to drive revenue and increase loyalty through customer experience in retail
How to drive revenue and increase loyalty through customer experience in retail

Events

Log In

Username / Email:
Password:
  |  Forgot your password?