Issues in plugin feature can leave users at risk
A vulnerability in popular preprocessor language Less.js could be exploited to achieve remote code execution (RCE) against websites that allow users to input Less.js code, researchers have warned.
Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites.
The Less.js library supports plugins which can be included directly in the Less code from a remote source using the @plugin syntax.
It is this feature that can leave a user vulnerable to remote attack, researchers from Canadian infosec firm Software Secured detailed in a blog post.
“This can lead to two outcomes depending on the context of the Less processor,” they wrote.
All versions of Less that support the @plugin syntax are vulnerable, the researchers added.
Real world examples
The blog post contains a proof-of-concept and example of how the plugin syntax can be exploited in the real world.
Researchers looked at CodePen.io, a popular website for creating web code snippets that supports standard languages plus Less.js.
They tried their PoCs against the site and were able to “leak their AWS secret keys and run arbitrary commands inside their AWS Lambdas”.
The vulnerability was reported to CodePen.io, which patched the bug.
Speaking to The Daily Swig, Jeremy Buis, who authored the blog post, said the vulnerability requires “certain conditions” to be successful.
“An example vulnerable scenario might be a feature that accepts custom styling via Less code from a user,” Buis said. “Once in a vulnerable configuration, it is straightforward to exploit the application.”
Buis said as far as he knows, Less has not patched the bug. “The backtick behaviour has been known for a while and there is configuration to mitigate in recent versions,” Buis added.
“The plugin and @import (inline) behaviour hasn’t been written about before as far as we can tell. We reached out to the maintainers over a year ago where the bugs were acknowledged.”
Buis advised Less.js users to mitigate the risks by considering the following. “Instead of Less code, allow regular CSS use instead,” he said.