Web Bug on Lua Webpage

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Web Bug on Lua Webpage

Jonathan Burkett
Hello developers,
I've recently encountered a bug on the https://lua.org/demo.html webpage. This allows for manipulation of webpage text through the Lua compiler. I ran the code: 
function a()
print(('Unnatural Lua Behavior\n'):rep(6))
end
debug.sethook(a,'c',1)
a()

This spams 'Unnatural Lua Behavior' to the output as well as overrides the message at the bottom with repetitions. This likely is open for the ability to run xss within the webpage body.
Hope y'all take care,
-Jonathan
Reply | Threaded
Open this post in threaded view
|

Re: Web Bug on Lua Webpage

Egor Skriptunoff-2
On Fri, Sep 13, 2019 at 5:06 AM Jonathan Burkett wrote:
Hello developers,
I've recently encountered a bug on the https://lua.org/demo.html webpage. This allows for manipulation of webpage text through the Lua compiler. I ran the code: 
function a()
print(('Unnatural Lua Behavior\n'):rep(6))
end
debug.sethook(a,'c',1)
a()

This spams 'Unnatural Lua Behavior' to the output as well as overrides the message at the bottom with repetitions. This likely is open for the ability to run xss within the webpage body.
Hope y'all take care,
-Jonathan

A similar "vulnerability" is the following:
a=setmetatable({}, {__gc = function() print('--><script>alert("Surprise!");</script>') end})
It has been reported 2 years ago, still not fixed
http://lua-users.org/lists/lua-l/2017-07/msg00254.html
Reply | Threaded
Open this post in threaded view
|

Re: Web Bug on Lua Webpage

Luiz Henrique de Figueiredo
In reply to this post by Jonathan Burkett
Thanks for the report.

Reply | Threaded
Open this post in threaded view
|

Re: Web Bug on Lua Webpage

Pierre Chapuis
In reply to this post by Egor Skriptunoff-2
I might miss something but I think it doesn't matter much since:

- I don't think there is a way to construct a URL that runs this code.
- I don't think there is a login / session mechanism on lua.org so there isn't really a CSRF risk.

-- 
Pierre Chapuis


On Fri, Sep 13, 2019, at 08:54, Egor Skriptunoff wrote:
On Fri, Sep 13, 2019 at 5:06 AM Jonathan Burkett wrote:
Hello developers,
I've recently encountered a bug on the https://lua.org/demo.html webpage. This allows for manipulation of webpage text through the Lua compiler. I ran the code: 
function a()
print(('Unnatural Lua Behavior\n'):rep(6))
end
debug.sethook(a,'c',1)
a()
This spams 'Unnatural Lua Behavior' to the output as well as overrides the message at the bottom with repetitions. This likely is open for the ability to run xss within the webpage body.
Hope y'all take care,
-Jonathan

A similar "vulnerability" is the following:
a=setmetatable({}, {__gc = function() print('--><script>alert("Surprise!");</script>') end})
It has been reported 2 years ago, still not fixed

Reply | Threaded
Open this post in threaded view
|

Re: Web Bug on Lua Webpage

Luiz Henrique de Figueiredo
> I might miss something but I think it doesn't matter much since:

I agree. The demo page needs to protect the server, not the client.