Well, a few weeks back I posted about some potential security issues with Campfire.

As it turns out there are a few more interesting issues that we hadn’t yet found at that time. While we were messing around to see if you could put avatars in names via image tags, we discovered that certain places in Campfire were not replacing entities on the html, and were therefore running it. To some this issue may seem trivial, but I suggest that it’s actually potentially more dangerous than the issues discussed in my previous post.

Although the reach of it is smaller thanks to the limited areas where they forgot to strip or replace entities, it would probably be far easier to embed something like an iframe and hide it off screen away from the view of the user, where it could potentially go unnoticed for quite a while unless you go into chat or something.

The very sad part of this all is that we found these problems through casual use, rather than actively trying to gain the system (ok, I admit trying to put an avatar in a name is not casual use, but it’s also not malicious intent!)

Hopefully some day we’ll have a more secure Campfire where we can all safely chat away and work care free.