Latest YouTube Video

Thursday, November 24, 2016

[FD] [RT-SA-2016-003] Less.js: Compilation of Untrusted LESS Files May Lead to Code Execution through the JavaScript Less Compiler

Advisory: Less.js: Compilation of Untrusted LESS Files May Lead to Code Execution through the JavaScript Less Compiler RedTeam Pentesting discovered behaviour in the Less.js compiler, which allows execution of arbitrary code if an untrusted LESS file is compiled. Details ======= Product: Less Compiler Affected Versions: probably all versions Fixed Versions: none Vulnerability Type: Code Execution Security Risk: low Vendor URL: http://lesscss.org/ Vendor Status: decided not to fix Advisory URL: http://ift.tt/2gk77jd Advisory Status: published Introduction ============ "Less is a CSS pre-processor, meaning that it extends the CSS language, adding features that allow variables, mixins, functions and many other techniques that allow you to make CSS that is more maintainable, themable and extendable. Less runs inside Node, in the browser and inside Rhino. There are also many 3rd party tools that allow you to compile your files and watch for changes." (from the project's homepage) More Details ============ The Less project provides a compiler [0] to transform LESS code into CSS. Among other features, it supports embedded inline JavaScript code in LESS files. To our knowledge, this feature is currently not mentioned in the official documentation provided by the Less project. However, while researching the history of the Less website it was discovered that this feature was indeed documented in the past [1]. Third parties also document this feature [2]. The following example shows how this feature can be used. JavaScript code can be embedded in LESS by enclosing it in backticks. In the following, the result of the expression '1+1' is assigned to the variable 'test':

Source: Gmail -> IFTTT-> Blogger

No comments: