Support » Plugin: Akismet Anti-Spam » Akismet allows possible vulnerability in links in comments

  • Resolved rhellewell

    (@rhellewellgmailcom)


    If you hover over a spam link in an Akismet-caught spam comment, the content of the link will show up on your screen. And that content could be harmful.

    To duplicate, find a spam comment that Akismet has caught (go to Admin, Comments, Spam). Hover over any link in the spam content. A box will pop up with that link’s content.

    Example:

    Using the Inspector on one of those spam links, I found the HREF code on the link in the spam comment is similar to this (I obfuscated the domain but left the rest) (and not sure how to wrap the code block below)

    `<a href=”http://Www.example.com/__media__/js/netsoltrademark.php?d=malyj.info%2F__media__%2Fjs%example.php%3Fd%3D3win8.city%2Findex.php%2Fdownload%2F29-ntc33&#8243;
    target=”_blank” rel=”external nofollow”>http://Www.example.com/__media__/js/netsoltrademark.php?d=malyj.info%2F__media__%2Fjs%2Fexample.php%3Fd%3D3win8.city%2Findex.php%2Fdownload%2F29-ntc33</a&gt;`

    And the CSS for the :after element, which comes from Akismet (which is why you only see it on Akismet-caught spam, using the latest version of Akismet), in akismet.css line 42:

    `table.comments td.comment p a::after {

    content: attr(href);
    color: #aaa;
    display: inline-block;
    padding: 0 1ex;

    }`

    So the content element of the CSS is displaying the content in the link. And note that the example link above is a php file. Which is concerning….since clicking on the link appears to call some ‘download’ process. (I have not looked into the code of the link, nor clicked on it.)

    ….but not as concerning as if the example block was some JS. And more concerning if the JS is trying to do some exploit on your computer – which I don’t think would require a click, just a hover to execute. **YIKES!**

    So, the cause seems to be the CSS that Akismet is using is displaying the links’ content.

    And that doesn’t look very safe. Akismet **should not** be using the content element in the :after CSS block.

    This is a potential vulnerability to the admin‘s computer , and should not be enabled by Akismet.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Hi there,

    Unless I missed something in your report, I think there might be a misunderstanding as to what that CSS does, and how it might affect a user.

    The content: attr(href); parameter does not display the content of the site being linked to, it simply displays the URL that is being linked to, next to said link, as seen in https://cloudup.com/itp4rG2hcDy.

    The content that is shown as an overlay (like the 404 in https://cloudup.com/iWc_lALmpzA) is a screenshot/image that is being automatically generated on our servers, but the user’s browser (or server) never actually gets to the target site.

    Based on the above, I cannot see a security vector for an attacker to take advantage of either, from a user’s perspective.

    rhellewell

    (@rhellewellgmailcom)

    I am confused by your response, but am having trouble creating an example that shows the issue.

    But I can easily see the problem if I look at an actual spam comment that Akismet classifies as spam. You should also be able to see it, if you go into the list of spam comments (Admin, Comments, Spam).

    That will show you a list of all comments classified as spam. If you move your mouse over a typical spam link, a box will pop up that shows the content of that href link. If the href is something like https://www.cnn.com , then you should be able to see the contents of the current CNN page. If it is malicious/spammy link, then you see the content of that page.

    In fact, if you edit a spam comment, and insert this simple HREF link, and save the edit then you will see the CNN front page, even with the rotating elements, when you mouseover that link that you added.

    <a href="https://www.cnn.com" rel="nofollow">my link</a><br>

    That indicates to me that the ‘content’ CSS is making a request to CNN, and CNN is returning the content. If that content in the comment was a page that is generating ‘bad’ content, then that bad content will get executed in the visitor’s browser. I have not done any capturing of request elements, but I do see the HREF content on every single HREF link in any spam content. And that content is displayed by the :after CSS added by akismet.css .

    I don’t have a proof of concept, other than when you edit a spam comment and put in your own HREF, or mouseover an HREF element in the spammer’s comment text. But it would seem to me that this action could be turned into something harmful by a malicious actor.

    Plugin Author Christopher Finke

    (@cfinke)

    The popup you see from CNN.com in your example is just a screenshot, taken by the mShots service (https://github.com/Automattic/mShots). It is static, so there is no content from CNN.com actually being included in the page. If you check line 87 of _inc/akismet.js, you can see the JavaScript that requests the screenshot and displays it in the page.

    rhellewell

    (@rhellewellgmailcom)

    Interesting. When I inserted the CNN main page link, the resultant ‘screenshot’ from the JS changed, with a new image displayed in part of the screenshot window (like an automatic slideshow). That led me to believe that the window was ‘live’.

    I don’t ‘speak’ JS very well (only the basics), so can’t speak to the code. But a screenshot is less of an issue. Although the slideshow-type display of the CNN ‘screenshot’ was disconcerting, leading me to believe it was ‘live code’.

    But it would be nice to disable that screenshotting, perhaps on the spam list. Not sure why that is a ‘feature’, though. I’d like a ‘disable’ option.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Akismet allows possible vulnerability in links in comments’ is closed to new replies.