I got an email today from Jose Avila about an XSS hole in BlogSpot. For anyone who doesn’t know, Blogspot is a free blogging system for people who can’t or don’t want to host their own. Anyway, his blog post discusses how the exploit works. Essentially Blogspot considers anything inside of comment tags to be safe. So he encapsulates his vector which closes the title tag and starts a remote script include inside of comment tags.
The demo PoC page is located here and works only in Safari (and possibly Konquorer although that is unverified) as Internet Explorer and Firefox treat an end title tag inside of a comment tag as part of the title instead of ending the title. Weird, huh? The vector is the truly noteworthy part of this, even though the site itself is very popular. Anything inside of comment tags, even if that includes an end title tag is treated as a title. Bizzare behavior, but proves that you can’t assume that things inside of comment tags are okay (as the downlevel hidden XSS vector showed us as well). Nice find, Jose!