Userstyle xss vulnerable

Basically, userstyle description part supports full html syntax(except js), so it's pretty messed up.
Have a look at my style here: https://userstyles.org/styles/152947/don-t-enter-this-page

Comments

  • I warn that there are loud screams if someone want see his style.

    The worst part is that it is also in search with list view:
    image

    But we can use it to do cool things like gallery:
    https://userstyles.org/styles/142082/dark-cyan-theme-userstyles-org-stylish
    image

    With this simple code we can show full image if it dont have required size:
    <style>#preview_image_div{background-size:contain!important}</style>
    https://userstyles.org/styles/139579/socialblade-dark-theme
    image image
  • I reported this very dangerous vulnerable to userstyles.org’s administrator on 2017-11-03.

    However, it have not been fixed yet.

    For example, attackers can steal passwords of userstyles.org’s users.

  • edited December 2017 Chrome
    Pabli said:

    I warn that there are loud screams if someone want see his style.

    The worst part is that it is also in search with list view:
    image

    But we can use it to do cool things like gallery:
    https://userstyles.org/styles/142082/dark-cyan-theme-userstyles-org-stylish
    image

    With this simple code we can show full image if it dont have required size:
    <style>#preview_image_div{background-size:contain!important}</style>
    https://userstyles.org/styles/139579/socialblade-dark-theme
    image image

    Uhm, I made this style for demonstration purposes only and to show that Userstyles page can easily be vulnerable to people with bad intentions, so there isn't really anything in the style yet.
  • edited December 2017 Firefox
    This is useful to know. I've been wanting to plaster banners on browser styles that need to be applied using userChrome.css and now I see how. E.g., https://userstyles.org/styles/119797/bookmarks-menu-in-multiple-columns

    (I promise no passwords are stolen in that page.)

    But I don't want to minimize the concern that fake forms pose a serious threat.
  • edited December 2017 Firefox
    image
  • edited December 2017 Waterfox
    About :
    Jefferson said:

    This is useful to know. I've been wanting to plaster banners on browser styles that need to be applied using userChrome.css and now I see how. E.g., https://userstyles.org/styles/119797/bookmarks-menu-in-multiple-columns

    How you code the banner of this userstyles to add this sticky message ? :
    "Firefox 57 or Stylish 3.0 users: Expand the "Show CSS Code" panel and copy/paste into a userChrome.css file.
    More information on creating a userChrome.css file: How to Create a userChrome.css File."
    What editor you use for that?

  • decembre said:


    How you code the banner of this userstyles to add this sticky message ? :
    "Firefox 57 or Stylish 3.0 users: Expand the "Show CSS Code" panel and copy/paste into a userChrome.css file.
    More information on creating a userChrome.css file: How to Create a userChrome.css File."
    What editor you use for that?

    A lot of Edit Style / Save / tweak rules using the Inspector / repeat. This is now at the top of the Description field in the form:

    <p style="position:fixed;z-index:999;top:0;right:0;margin-top:0;width:calc(70% - 32px);padding:16px;color:#000;background-color:#ff6;text-align:center;font-size:20px!important;"><b>Firefox 57 or Stylish 3.0 users: Expand the "Show CSS Code" panel and copy/paste into a userChrome.css file.<br>More information on creating a userChrome.css file: <a href="https://www.userchrome.org/how-create-userchrome-css.html">How to Create a userChrome.css File</a>.</b></p>
  • That's pretty awful. I actually just found the example by mistake when looking for a style for google translate. This is as poor as web design goes. It's amazing that it was reported over a month ago and they haven't done anything yet.
  • edited December 2017 Waterfox
    Thanks;
    It's very impressive !
    I like to customize but with this possibility we can make very dangerous things.

    One question:
    How to see which code is used (typed) to have these effects?

    i try with Firebug or the DevTools or the code source but i can't see them:

    I see the effects (position: fixed etc...) like it was the original's site code but i don't see that's an addition used by an author and what code it inject in these part of the page.
    By example , i don't see style="position:fixed; etc..."

    Ps:
    The hover effect on the gallery in the description of Dark Cyan Theme - UserStyles.org Stylish by Pabli is very fine !
    Since we don't have the possibility to add Additional screenshots , because that's broken now, i want reuse it...
    ;-)
  • decembre said:

    One question:
    How to see which code is used (typed) to have these effects?

    The normal source (Ctrl+u) does not include dynamic content; it's more of an empty shell. If you Select All (Ctrl+a), then the right-click context menu has View Selection Source. That will include all of the code injected by scripts. Not including the iframes, of course, you need to view those separately.

    If you're using the Inspector, right-click the relevant element, Copy > Outer HTML and you can paste that into a decent text editor (e.g., Notepad++ or Atom) to view with some syntax coloring to better make sense of it.
  • edited December 2017 Firefox

    This is the user-side workaround by the to protect your account and plain password.

    1. Install the browser extension uBlock Origin
    2. Open the dashboard
    3. Select the “My filters” tab
    4. Add |https://userstyles.org^$inline-script on a new line
    5. Change your password just in case
    • This causes problems such that a redirect after editing not works.

    Setting check

    Try open this URL, if you see an alert dialog, something is wrong.
    https://userstyles.org/styles/153129/userstyles-org-xss-vulnerability-test

  • edited December 2017 Firefox

    You got one $inline-script too many there, |https://userstyles.org^$inline-script should work.

  • edited December 2017 Firefox

    You got one $inline-script too many there, |https://userstyles.org^$inline-script should work.

    Thank you. I corrected $inline-script$inline-script.

  • edited December 2017 Chrome
    |https://userstyles.org/styles/*^$inline-script
  • Jefferson said:

    This is useful to know. I've been wanting to plaster banners on browser styles that need to be applied using userChrome.css and now I see how. E.g., https://userstyles.org/styles/119797/bookmarks-menu-in-multiple-columns

    This style is very good, the idea is great.
    Is it possible to do the same thing with the sidebar bookmarks, making it wider and with two columns?
  • João. said:

    Jefferson said:
    This style is very good, the idea is great.
    Is it possible to do the same thing with the sidebar bookmarks, making it wider and with two columns?
    Hmmmaybe. Since I also need to do something for the toolbar bookmarks menu button I will look at the sidebar as well.
  • catcat520 said:

    |https://userstyles.org/styles/*^$inline-script

    XSS attack is possible on https://userstyles.org/categories/global also.

    I think that there is no omission and the users can ensure security if they block inline scripts on whole userstyles.org, but are there pages that they had better not block?

  • I can't log in if I block the whole |https://userstyles.org/*^$inline-script, so it may be more reasonable to block
    |https://userstyles.org/styles/*^$inline-script and
    |https://userstyles.org/categories/*^$inline-script separately

  • edited December 2017 Waterfox
    Jefferson said:

    decembre said:

    One question:
    How to see which code is used (typed) to have these effects?

    If you're using the Inspector, right-click the relevant element, Copy > Outer HTML and you can paste that into a decent text editor (e.g., Notepad++ or Atom) to view with some syntax coloring to better make sense of it.
    Thank for the tuto !

    Should have an option to show these outer Outer HTML without that:
    If we don't know they are here or on which element they are applied, it can be hard to find them.
    I tested quickly on :
    Dark Cyan Theme - UserStyles.org Stylish
    and i can't find the right Outer HTML...
  • Jefferson said:

    Hmmmaybe. Since I also need to do something for the toolbar bookmarks menu button I will look at the sidebar as well.

    Ok. Thank you.
  • I can't log in if I block the whole |https://userstyles.org/*^$inline-script, so it may be more reasonable to block

    |https://userstyles.org/styles/*^$inline-script and

    |https://userstyles.org/categories/*^$inline-script separately

    If I block the whole, the redirect after logging in not works but I opened my user page and I confirmed that I logged in successfully.

    I tried to use a white list system but uBlock Origin seems not to support it about $inline-script option. Your way might be a good way.

  • decembre said:

    Should have an option to show these outer Outer HTML without that:
    If we don't know they are here or on which element they are applied, it can be hard to find them.

    I think the easiest way to get close to the right spot in the Inspector is right-click > Inspect Element. Are we only looking at "Description" and "Notes from latest update"? I'm not sure it's possible to inject HTML elsewhere on the page.
  • Looks like this vulnerability was fixed. Unfortunately, the sledgehammer broke some innocent uses of inline CSS, but...
  • I confirmed that this vulnerability was fixed too and allowed HTML seem to be repaired to follow Format of style descriptions.
Sign In or Register to comment.