So recently I’ve been using Campfire quite a bit, and I couldn’t help but notice some really obvious exploits that just shouldn’t be there.

Like what, you ask? Well how about the cool feature that takes any submitted image url (actually any url ending with a specific extention) and putting it in image tags in chat. Things like this can be used to execute scripts locally in the browser of anybody viewing chat by simply changing the extension (and at a push the mime type if extension alone doesn’t work) of a script and pasting it into campfire. If your script is malicious it can do such nice things as steal cookies from viewers, force them to see infinite loops, etc.

Despite the fact that because of Campfire’s context, very few people will actually mess around with it (I’m sure your bosses would love to get redirected to goatse every time they view the chat transcripts..), it does leave one to wonder just how secure the poller is. Especially since it’s common knowledge that the poller was rewritten in a few hundred lines of C for performance reasons. Buffer overflow anyone?

The image issue can be fixed by simply caching the image on an image server with a different domain, and rejecting all images that don’t pass file. That’s not to say it’s the best or only way to solve the issue, but it’s a start.

Suffice it to say I don’t recommend screwing around with Campfire in any way. I just think it’s a bit sad to see something like that in an app that’s supposed to be the face of Rails. Ah well, live and learn.