back to article Evil CSS injection bug warning: Don't let hackers cross paths with your website

Developers should check their websites for path-relative stylesheet import (PRSSI) vulnerabilities, which can allow miscreants to hijack web pages and steal login cookies, security researchers have urged. PRSSI flaws were documented by Gareth Heyes early last year; he calls them relative path overwrites. The trick is to lure …

  1. WibbleMe

    Interesting but would truing off XSS scripting in ,htaccess make a difference?

    1. Tom 38
      WTF?

      see icon -->

      1. Ole Juul

        He may be trying some kind of forum injection vulnerability attack. Just don't click on it.

    2. Anonymous Coward
      Anonymous Coward

      Yep... a bit.

  2. Doctor_Wibble

    I've obviously missed something critical here - how is it that a browser requesting something that doesn't exist is being given anything other than a 404 or some handler thereof? If you haven't gone past the last slash then it's still a path and not a file so why is a file being sent?

    I know there used to be severe problems for browsers that couldn't handle a 404 when a script src was supposed to be coming from somewhere that didn't have it, is this a similar thing resulting from a bit of duff coding, potentially at both ends?

    1. The Mole

      Its a webserver serving a dynamic page there's no need for the url to bare any relation to files on a file system at all. The website may be configued to pass anything after showthreads.php into the php script - which the script may then just ignore.

      The route of the problem would seem to be the browser is way too lenient with parsing css and will pull definitions out of any old junk.

      1. Kubla Cant

        The route of the problem would seem to be the browser is way too lenient with parsing css and will pull definitions out of any old junk.

        You shouldn't rely on browsers for security. The problem is that the server hasn't parsed the request URL properly. I just seems to have scanned it from the left until it found something that looks like the script name and assumed that anything after is a querystring. I can't believe many servers do this.

        BTW, the expression is "root of the problem". The analogy is to plants, not navigation.

        1. John G Imrie

          The problem is that the server hasn't parsed the request URL properly.

          Sorry the web server has parsed the URL properly.

          A URL is <scheme> "://" <server-name> ":" <server-port> <script-path> <extra-path> "?" <query-string>

          See that extra-path bit.

          The URL to resource translator in a web server can do several things but once it decides to walk the file system it will go down the URL until it finds something that maps to a file rather than a directory. Anything else is passed through to the file. In the old days of CGI scripting it ended up in the PATH_INFO environment variable.

          1. Doctor_Wibble

            Re: The problem is that the server hasn't parsed the request URL properly.

            > See that extra-path bit.

            I have to say I've never used it, and if something isn't part of locating the object being requested then it really ought to be put as a parameter and TBH this particular 'feature' strikes me as being more of a kludge than anything else.

            Doesn't mean it's not a useful thing, I just don't recall seeing that in any definition of 'URL' but maybe my books are too old.

            1. John G Imrie

              Re: The problem is that the server hasn't parsed the request URL properly.

              I got the information from http://www.ietf.org/rfc/rfc3875 published in October 2004. How old are your books?

        2. Jon 37
          FAIL

          PHP

          Sadly, this is a standard "feature" of mod_php/Apache, and I think(?) all PHP servers.

          PHP icon---->

          1. Anonymous Coward
            FAIL

            Re: PHP

            It's a feature of HTTP and there's nothing sad about it.

            Actually, it's a pretty useful feature. It allows links ending in the right filename while being served through dynamic script.

  3. brain_flakes

    Doesn't this only affect IE7 and below?

    Doesn't this only affect IE7 and below? CSS expressions were only ever in IE, and removed in IE8. I certainly couldn't get JS to execute on any of the browsers I have installed here...

  4. Mage Silver badge
    Devil

    There are related vulnerabilities

    I've seen emails alleging to be from linkedin with links that have linkedin's real domain at start of URL that are meant to load something else.

    Very many plugins for Drupal and Wordpress are STILL being written with cross site scripting, rights elevation or sql flaws.

    There is obviously something wrong with the way Web applications are being developed and deployed.

  5. James Rouse

    Going to ignore this until it has a catchy name.

    Seriously, until tech blogs can make some hilarious puns and pop-culture references on the name, what's the point?

    1. Adam 1

      Re: Going to ignore this until it has a catchy name.

      Something like DEATHNEEDLE and I would be all on it. PRSSI just sounds like one of the cards on your motherboard.

      1. teebie

        Re: Going to ignore this until it has a catchy name.

        PRiSSI?

        People paid attention to POODLE, and they are the prissiest of all dogs.

  6. b166er

    Err, so does <!DOCTYPE html> prevent this?

  7. Anonymous Coward
    Anonymous Coward

    Eh?

    From my naive reading of the article without going to the source, how on earth does "mysite" cause trouble via "somesite".

    I presume that the author meant that the link called "mysite.ninja" would actually link to "mysite.ninja" in a special way. Many forums show what a link really points to and browsers will show it on mouse over as well.

    SpamAssassin and ClamAV with Sane Security extras etc will almost certainly take a dim view of these links in emails BTW. I'm sure that McAfee, Norton, Sophos etc will also get upset

  8. Tannin
    FAIL

    Just another IE bug

    Two points:

    1 If you have something to say, please say it. As things stand, the article hints at a few things and skates glibly over a few more, but doesn't actually say anything of substance. At least not that I can detect. Has any other reader managed to figure out exactly what is being said here? (If anything.) One is left to trawl the links looking for the bacon in the sandwich.

    2: Having learned (I think) what the vulnerability is (no thanks to the vague Reg article), I'm damned if I can figure out what the excuse is for calling it a "CSS vulnerability" instead of what it apparently is, just another IE vulnerability which (so far as I can glean) applies only to a version of IE so ancient that one might as well write up new bugs in Netscape Navigator 4.

    What is the excuse (if any) for calling an IE bug a "CSS bug"? I am left to presume that the only purpose is to scam a headline few clicks, 'coz an actual CSS vulnerability would be important must-read news, where finding another bug in the long-obsolete nine-year-old Internet Explorer 7 is like finding a lump of horse poo in a dungheap. It's hardly news.

    PS: If there *is* in fact some substantial backing to justify the rather hysterical headline, and it *isn't* just another ancient IE bug, please have the goodness to tell someone about it. You could start with Reg readers.

    1. albinowax

      Re: Just another IE bug

      There are two things here, the attack technique and the vulnerability in phpBB3.

      The attack technique itself works in all modern browsers - expression() support definitely isn't a requirement. It's often possible to hijack accounts using generic, cross-browser CSS. See the 'Malicious CSS' section in http://blog.portswigger.net/2015/02/prssi.html for more info on this, and also http://p42.us/css/ .

      The phpBB3 vulnerability is IE specific since phpBB uses a modern doctype, but it works in IE11. The proof of concept in the linked post doesn't use expression(), because as you say this would limit it to older IE versions. Expression() is actually supported in IE10 and under, but only under the right conditions, which phpBB3 doesn't have.

      Hope that makes sense!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like