codeblog code is freedom — patching my itch

October 27, 2005

pastebin rulez

Filed under: Security,Vulnerabilities — kees @ 7:40 am

When discussing code on IRC, I’ve found to be a valuable resource for sharing code snippets. It has a really simple interface, and can give you a semi-private area just by specifying a subdomain (e.g.

I had spent some time yesterday doing some other security audits, and figured I’d poke around at pastebin. Overall, the system was fine (only two inputs: text and name — both were strongly filtered). I did discover a redirect bug, though, which would let me use the site to redirect to somewhere else. While there isn’t anything to “steal” on pastebin, a bad guy could still trick their unsuspecting friends into visiting other (maybe more dangerous?) websites.

I reported the problem to pastebin’s author (Paul Dixon), and he had it fixed before I woke up. That’s how vulnerability reporting is supposed to work! Thanks Paul!

Here’s how it used to work. From the pastebin help, you can type in a subdomain to use for your pastebin. (Like “yayoutflux” above.) The form did some checking (no /’s allowed), but would accidentally let you send whitespace, including a linefeed.

Normally, a web redirect from that form would look something like this, where the user input is shown in bold:

HTTP/1.1 302 Found

However, if I add a linefeed (URL encoded as %0A:, I could break the “Location” tag, and trick the browser into going somewhere else:

HTTP/1.1 302 Found

Great illustration of redirection XSS.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

1 Comment

  1. Its always good to hear that authors fix their software when a report like that comes in…
    Kudos to both you and Paul…

    Comment by John — November 2, 2005 @ 8:43 pm

Powered by WordPress