Fault in Preprocessor Language Less.js Root Website to Rift AWS Secret

rift AWS secret keys
Share It On:

13th July 2021, Kathmandu

A vulnerability in popular preprocessor language Less.js might be exploited to realize remote code execution (RCE) against websites that permit users to input Less.js code, researchers have alerted.

Less.js stands for Learner Style Sheets which is a JavaScript tool that is a backward-compatible language extension of CSS.

To valid CSS code, Less.js is transpiled and is employed to assist the writing of CSS for websites.

The Less.js library assists plugins that may be included directly within the Less code from a foreign source utilizing the @plugin syntax.

While performing a pentest for one of the Secured Software’s Penetration Testing as a Service (PaaS) clients, they found an application feature that allowed users to create visualizations which further enabled them to custom styling. Users were allowed to input valid Less code by one of the visualizations, which was transpiled on the client-side to CSS.

This seemed like it needed a closer look.

As per security perspectives, Less has some interesting features. The inclusion of JavaScript by default is allowed with the use of the backtick operators by Less before version 3.0.0

To valid CSS code, Less.js is transpired and is employed to assist the writing of CSS for websites. The Less.js library assists plugins that may be included directly within the Less code from a foreign source utilizing the @plugin syntax.

Plugins are the syntax written in JavaScript and when the Less code is interpreted, any included plugins will execute. It is this feature that may leave a user susceptible to remote attack, researchers from Canadian infosec firm Software Secured said.

“The two results counting on the context of the Less processor is caused by this,” they wrote. It results in cross-site scripting (XSS), if Less code is processed on the client-side – but processed on the server side it leads to RCE. Most of the Less Supporting the @plugins syntax are susceptible, the researchers added.

The blog posted by Software Secured contains a proof-of-concept and example of how the plugins have been exploited in the real world.

As the researchers studied at CodePen.io, a popular website for creating web code snippets that assisted standard languages plus Less.js. Here, they attempted their PoCs against the site and were up to “leak their AWS secret keys and run capricious commands in their AWS Lambdas”.

Then they reported the vulnerability to CodePen.io, which patched the bug.

Less. js is transcompiled into valid CSS code and wants to write CSS for websites. The Less. js library supports add-ins that can be included directly in Less code from a foreign, syntax, @plugin. All Add-ins were written in JavaScript run, once you interpret the Less code.

This feature can turn a user into remote attacks, researchers from Canadian company Infosec Software Secured detailed in a blog post.

“As we will be placing our judgment, the way of complementing and @import (online) has never been written before. We notified managers over a year ago where bugs were known.

Buis urged Less. js users to mitigate the dangers through the following: “Instead of less code, allow CSS to be used on a normal basis,” he said. “If Less is necessary, it transpires the Less client-side code to bypass the likelihood of SSRF and RCE attacks. “To reduce the likelihood of XSS, upgrade to the latest edition where JavaScript-based reverse quote execution is disabled by default and fork the Less library and take away the ‘@plugin’ syntax. “


Share It On:

Recent Posts

Citizens Bank 11.11 Deals: Exclusive Discounts on Daraz

Citizens Bank 11.11 Deals: Exclusive Discounts on Daraz

Share It On:5th November 2024, Kathmandu Citizens Bank International Limited signed an agreement with Nepal’s leading online marketplace, Daraz, to

Local Talent Shines in Cybersecurity: Bipu Ojha and Tuan Khuat Win CDU IT CodeFair CTF

Local Talent Shines in Cybersecurity: Bipu Ojha and Tuan Khuat

Share It On:5th November 2024, Kathmandu Bipu Ojha and his teammate Tuan Khuat have emerged as winners in the prestigious

CEDB Hydropower’s Extraordinary General Meeting Concluded: Five Directors Elected

CEDB Hydropower’s Extraordinary General Meeting Concluded: Five Directors Elected

Share It On: 5th November 2024, Kathmandu CEDB Hydropower Development Company Limited has successfully concluded its extraordinary general meeting. CEDB

Government’s Journalist Accident Insurance Program: Apply Now For Your Protection

Government’s Journalist Accident Insurance Program: Apply Now For Your Protection

Share It On: 5th November, Kathmandu The Department of Information and Broadcasting has announced the launch of a new insurance

Nepal Life’s Property Acquisition in Hetauda: A Strategic Move For Growth

Nepal Life’s Property Acquisition in Hetauda: A Strategic Move For

Share It On:5th November, Kathmandu Nepal Life Insurance, a leading life insurance company in Nepal, has recently expanded its footprint

Global IME Dividend Announcement: Key Book Closure Date Revealed

Global IME Dividend Announcement: Key Book Closure Date Revealed

Share It On:5th November 2024, Kathmandu Global IME Bank has good news for its shareholders! The bank has announced a