Fault in Preprocessor Language Less.js Root Website to Rift AWS Secret

rift AWS secret keys
Share It On:

13th July 2021, Kathmandu

A vulnerability in popular preprocessor language Less.js might be exploited to realize remote code execution (RCE) against websites that permit users to input Less.js code, researchers have alerted.

Less.js stands for Learner Style Sheets which is a JavaScript tool that is a backward-compatible language extension of CSS.

To valid CSS code, Less.js is transpiled and is employed to assist the writing of CSS for websites.

The Less.js library assists plugins that may be included directly within the Less code from a foreign source utilizing the @plugin syntax.

While performing a pentest for one of the Secured Software’s Penetration Testing as a Service (PaaS) clients, they found an application feature that allowed users to create visualizations which further enabled them to custom styling. Users were allowed to input valid Less code by one of the visualizations, which was transpiled on the client-side to CSS.

This seemed like it needed a closer look.

As per security perspectives, Less has some interesting features. The inclusion of JavaScript by default is allowed with the use of the backtick operators by Less before version 3.0.0

To valid CSS code, Less.js is transpired and is employed to assist the writing of CSS for websites. The Less.js library assists plugins that may be included directly within the Less code from a foreign source utilizing the @plugin syntax.

Plugins are the syntax written in JavaScript and when the Less code is interpreted, any included plugins will execute. It is this feature that may leave a user susceptible to remote attack, researchers from Canadian infosec firm Software Secured said.

“The two results counting on the context of the Less processor is caused by this,” they wrote. It results in cross-site scripting (XSS), if Less code is processed on the client-side – but processed on the server side it leads to RCE. Most of the Less Supporting the @plugins syntax are susceptible, the researchers added.

The blog posted by Software Secured contains a proof-of-concept and example of how the plugins have been exploited in the real world.

As the researchers studied at CodePen.io, a popular website for creating web code snippets that assisted standard languages plus Less.js. Here, they attempted their PoCs against the site and were up to “leak their AWS secret keys and run capricious commands in their AWS Lambdas”.

Then they reported the vulnerability to CodePen.io, which patched the bug.

Less. js is transcompiled into valid CSS code and wants to write CSS for websites. The Less. js library supports add-ins that can be included directly in Less code from a foreign, syntax, @plugin. All Add-ins were written in JavaScript run, once you interpret the Less code.

This feature can turn a user into remote attacks, researchers from Canadian company Infosec Software Secured detailed in a blog post.

“As we will be placing our judgment, the way of complementing and @import (online) has never been written before. We notified managers over a year ago where bugs were known.

Buis urged Less. js users to mitigate the dangers through the following: “Instead of less code, allow CSS to be used on a normal basis,” he said. “If Less is necessary, it transpires the Less client-side code to bypass the likelihood of SSRF and RCE attacks. “To reduce the likelihood of XSS, upgrade to the latest edition where JavaScript-based reverse quote execution is disabled by default and fork the Less library and take away the ‘@plugin’ syntax. “


Share It On:

Recent Posts

Global IME Haat Bazaar Nepal: Supporting Local Entrepreneurs & Showcasing Unique Products

Global IME Haat Bazaar Nepal: Supporting Local Entrepreneurs & Showcasing

Share It On:24th December 2024, Kathmandu Global IME Bank Limited has introduced the “Global Haat Bazaar” to promote products from

Golchha Group and ENSSURE Nepal Launch VET Apprenticeship Program to Boost Skills

Golchha Group and ENSSURE Nepal Launch VET Apprenticeship Program to

Share It On:24th December 2024, kathmandu Golchha Group, a pioneering industrial group in Nepal that carries a legacy of 100

Nepal Telecom BTS Vandalism in Humla: Service Disruption and Repair Efforts

Nepal Telecom BTS Vandalism in Humla: Service Disruption and Repair

Share It On: 24th December 2024, kathmandu Nepal Telecom is facing a major disruption in its services in the Humla

Worldlink Carnival Pokhara 2024: Fun, Music, and Prizes Await

Worldlink Carnival Pokhara 2024: Fun, Music, and Prizes Await

Share It On:24th December 2024, Kathmandu Worldlink, Nepal’s top internet service provider, is organizing a grand event, the “Worldlink Carnival,”

Nepal Power Grid Upgrade: $537M Investment for Enhanced Energy Access and Regional Trade

Nepal Power Grid Upgrade: $537M Investment for Enhanced Energy Access

Share It On:24th December, Kathmandu Nepal has secured an investment of NPR 72.93 billion (USD 537 million) for enhancing its

Ncell Foundation 4 for 4s NPL Campaign Provides 2600+ Kits  for Education and Empowerment

Ncell Foundation 4 for 4s NPL Campaign Provides 2600+ Kits

Share It On:24th December 2024, Kathmandu Linking the excitement of cricket via Nepal Premiere League (NPL) to the classrooms, Ncell