13th July 2021, Kathmandu
A vulnerability in popular preprocessor language Less.js might be exploited to realize remote code execution (RCE) against websites that permit users to input Less.js code, researchers have alerted.
To valid CSS code, Less.js is transpiled and is employed to assist the writing of CSS for websites.
The Less.js library assists plugins that may be included directly within the Less code from a foreign source utilizing the @plugin syntax.
While performing a pentest for one of the Secured Software’s Penetration Testing as a Service (PaaS) clients, they found an application feature that allowed users to create visualizations which further enabled them to custom styling. Users were allowed to input valid Less code by one of the visualizations, which was transpiled on the client-side to CSS.
This seemed like it needed a closer look.
To valid CSS code, Less.js is transpired and is employed to assist the writing of CSS for websites. The Less.js library assists plugins that may be included directly within the Less code from a foreign source utilizing the @plugin syntax.
“The two results counting on the context of the Less processor is caused by this,” they wrote. It results in cross-site scripting (XSS), if Less code is processed on the client-side – but processed on the server side it leads to RCE. Most of the Less Supporting the @plugins syntax are susceptible, the researchers added.
The blog posted by Software Secured contains a proof-of-concept and example of how the plugins have been exploited in the real world.
As the researchers studied at CodePen.io, a popular website for creating web code snippets that assisted standard languages plus Less.js. Here, they attempted their PoCs against the site and were up to “leak their AWS secret keys and run capricious commands in their AWS Lambdas”.
Then they reported the vulnerability to CodePen.io, which patched the bug.
This feature can turn a user into remote attacks, researchers from Canadian company Infosec Software Secured detailed in a blog post.
“As we will be placing our judgment, the way of complementing and @import (online) has never been written before. We notified managers over a year ago where bugs were known.