lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Fri, Sep 13, 2019 at 5:06 AM Jonathan Burkett wrote:
Hello developers,
I've recently encountered a bug on the https://lua.org/demo.html webpage. This allows for manipulation of webpage text through the Lua compiler. I ran the code: 
function a()
print(('Unnatural Lua Behavior\n'):rep(6))
end
debug.sethook(a,'c',1)
a()

This spams 'Unnatural Lua Behavior' to the output as well as overrides the message at the bottom with repetitions. This likely is open for the ability to run xss within the webpage body.
Hope y'all take care,
-Jonathan

A similar "vulnerability" is the following:
a=setmetatable({}, {__gc = function() print('--><script>alert("Surprise!");</script>') end})
It has been reported 2 years ago, still not fixed
http://lua-users.org/lists/lua-l/2017-07/msg00254.html