Fault in Preprocessor Language Less.js Root Website to Rift AWS Secret

rift AWS secret keys
Share It On:

13th July 2021, Kathmandu

A vulnerability in popular preprocessor language Less.js might be exploited to realize remote code execution (RCE) against websites that permit users to input Less.js code, researchers have alerted.

Less.js stands for Learner Style Sheets which is a JavaScript tool that is a backward-compatible language extension of CSS.

To valid CSS code, Less.js is transpiled and is employed to assist the writing of CSS for websites.

The Less.js library assists plugins that may be included directly within the Less code from a foreign source utilizing the @plugin syntax.

While performing a pentest for one of the Secured Software’s Penetration Testing as a Service (PaaS) clients, they found an application feature that allowed users to create visualizations which further enabled them to custom styling. Users were allowed to input valid Less code by one of the visualizations, which was transpiled on the client-side to CSS.

This seemed like it needed a closer look.

As per security perspectives, Less has some interesting features. The inclusion of JavaScript by default is allowed with the use of the backtick operators by Less before version 3.0.0

To valid CSS code, Less.js is transpired and is employed to assist the writing of CSS for websites. The Less.js library assists plugins that may be included directly within the Less code from a foreign source utilizing the @plugin syntax.

Plugins are the syntax written in JavaScript and when the Less code is interpreted, any included plugins will execute. It is this feature that may leave a user susceptible to remote attack, researchers from Canadian infosec firm Software Secured said.

“The two results counting on the context of the Less processor is caused by this,” they wrote. It results in cross-site scripting (XSS), if Less code is processed on the client-side – but processed on the server side it leads to RCE. Most of the Less Supporting the @plugins syntax are susceptible, the researchers added.

The blog posted by Software Secured contains a proof-of-concept and example of how the plugins have been exploited in the real world.

As the researchers studied at CodePen.io, a popular website for creating web code snippets that assisted standard languages plus Less.js. Here, they attempted their PoCs against the site and were up to “leak their AWS secret keys and run capricious commands in their AWS Lambdas”.

Then they reported the vulnerability to CodePen.io, which patched the bug.

Less. js is transcompiled into valid CSS code and wants to write CSS for websites. The Less. js library supports add-ins that can be included directly in Less code from a foreign, syntax, @plugin. All Add-ins were written in JavaScript run, once you interpret the Less code.

This feature can turn a user into remote attacks, researchers from Canadian company Infosec Software Secured detailed in a blog post.

“As we will be placing our judgment, the way of complementing and @import (online) has never been written before. We notified managers over a year ago where bugs were known.

Buis urged Less. js users to mitigate the dangers through the following: “Instead of less code, allow CSS to be used on a normal basis,” he said. “If Less is necessary, it transpires the Less client-side code to bypass the likelihood of SSRF and RCE attacks. “To reduce the likelihood of XSS, upgrade to the latest edition where JavaScript-based reverse quote execution is disabled by default and fork the Less library and take away the ‘@plugin’ syntax. “


Share It On:

Recent Posts

Liberty Energy Rights Shares Offering: Eligibility, Application Process, and Future Plans

Liberty Energy Rights Shares Offering: Eligibility, Application Process, and Future

Share It On:22nd November 2024, Kathmandu Liberty Energy Company Limited is gearing up to issue rights shares starting December 1,

Asha Laghubitta’s 8th AGM 2024: Key Decisions and Future Plans

Asha Laghubitta’s 8th AGM 2024: Key Decisions and Future Plans

Share It On:22nd November 2024, Kathmandu Asha Laghubitta Bittiya Sanstha is holding its 8th Annual General Meeting (AGM) today, November

6th Asian Population Conference 2024 in Nepal: Advancing Sexual and Reproductive Health Policies

6th Asian Population Conference 2024 in Nepal: Advancing Sexual and

Share It On: 21st November, Kathmandu Nepal is set to host the 6th Asian Population Conference from November 27 to

Kumari Bank Promoter Share Sale: Eligibility, Application Process, and Price

Kumari Bank Promoter Share Sale: Eligibility, Application Process, and Price

Share It On:21st November, Kathmandu Kumari Bank Limited has officially declared its intention to sell a substantial number of promoter

Up to NPR 150 Cashback on Nepal Telecom and Ncell Services with Namaste Pay

Up to NPR 150 Cashback on Nepal Telecom and Ncell

Share It On:21st November, Kathmandu Namaste Pay has unveiled an exciting new campaign to reward its users with cashback on

Ncell introduces innovative feature, enabling customers to convert voice to data or data to voice services

Ncell introduces innovative feature, enabling customers to convert voice to

Share It On:21st November, Kathmandu Ncell customers can enjoy an innovative feature that allows them to convert or exchange remaining