5

Last year a user managed to inject arbitrary javascript into reddit's markdown syntax. Can someone explain how this was done and how I can test whether my site is similarly vulnerable?

MichaelBlume
  • 228
  • 1
  • 6
  • add your website address i will check and tell you – Anantha Kumaran Mar 05 '10 at 18:49
  • I think it was through double-hashing. Wasn't there an entry on Reddit's blog that explained the issue? Reddit is blocked where I'm at so I can't check, unfortunately. – JAL Mar 05 '10 at 18:52

1 Answers1

3

Blog entry on the exploit:

http://blog.reddit.com/2009/09/we-had-some-bugs-and-it-hurt-us.html

The patch that fixed it:

https://github.com/reddit/reddit/commit/1f1f0606f5b6bf14a0db55a28cfd03e1e42e3550

jedberg
  • 421
  • 3
  • 9
  • 1
    The link to the patch has rotten to a 403. [This](https://github.com/reddit/reddit/commit/1f1f0606f5b6bf14a0db55a28cfd03e1e42e3550) is the same changeset on their Github account. –  Jul 13 '12 at 22:40