there’s a hole in your blog

well, there might be. if you allow HTML in your comments, you could have the same thing happen to you as i had over at surreally — find a hacker bot nestled in one of your directories. i’ve just now found out what causes that, and as security holes go, this one’s huge. basically all a person has to do is put the right bit of server side code, in a number of different languages, in the comment box, and submit, it will execute commands on the server. big, scary hole. more about that here.

the patch is simple, and right now i’m about to upload it to all the copies of MT running on all the surreallys, then i’ll put up instructions outlining the very simple template changes that will be needed, i’ll link that up when it’s done, i just wanted to get the word out on the patch.

those of you who aren’t using HTML in your comments don’t need to worry.

16 thoughts on “there’s a hole in your blog

  1. yes, it does. i forgot to mention, this applies mainly to sites that use PHP, JSP, ASP, or SSI (server side includes) — pages with HTML extensions on them are less vulnerable, but it’s never a bad idea to have something that cleans out the undesirable code from the comment box.

    i’m going to put it on all the surreally blogs just to be on the safe side. it also cleans up unclosed tags, so when people forget to but in that </b&gt, it doesn’t screw up the whole page after that.

  2. Man, that sucks! I added that to my site ages ago — but I didn’t know someone had actually been hit with it. I’m sorry! :-\

  3. yeah, i really should pay more attention to these things. it’s very creepy finding evil bots on your own servers.

  4. unless i’m missing something this doesn’t apply to asp…Response.Write’ing something which contains tags doesn’t seem to have the same effect…although i did only spend about 30 seconds looking at it…

    anyway, if your running on asp i have a couple of vbs functions (functions, not mt plugins) which strip html tags out of a string, either all tags or everything except a list of allowed tags (like B I STRIKE A etc for comments) and as a side effect i hadn’t even thought about they do rip out tags as well. if anyone wants them email me

  5. Geekspeak geekspeak!!! Warning Wil Robinson Warning Wil Robinson!!!

    Okay, KD, now for those of us who do NOT speak Geekesse, THANKS for finding that. I guess until you have the patch in place and let us know, I will disable HTML on my comments.

  6. ARGH. I wasn’t planning to do THAT this morning while I drank my coffee, but now I guess I’m going to be patching, eh?

    kd, you rock for making the announcement. Thank you!!

  7. hi kd–am i understanding you correctly that if your comments pages have html extensions then they are ‘less vulnerable’ than if they have php extensions? thanks for sharing this, btw.

  8. I think I told you on a previous post that I wasn’t allowing HTML in my comments, so don’t worry about patching me. Well, guess what? Certain somebodys keep posting HTML to my comments, so I turned it on (just for a while…). Please don’t hate me. I need the patch almost as bad as I need a drink right now. I’ll make it up to you sometime, I swear!

  9. in order to do any real damage on plain HTML pages, would take some mighty fancy javascript.

    however, this is worth it, just to keep people from putting in weird style tags, or leaving tags open, and it gives you exact control over what you do allow. this is a good thing.

Leave a Reply

Your email address will not be published. Required fields are marked *