[URGENT] Security Vulnerability #18
Comments
XSS VulnerabilityXSS if possible via the use of the order query parameter. Examplehttp://host/ressources?order=%27><script>alert(1);</script> ProblemI've investigated Xain and found that there is no escaping of tag contents / attributes at all. Responsible DisclosureI'll follow responsible disclosure with this bug. Since it is already spotted in the wild you'll have 14 days to provide a fix before I'll have to release the issue. TestThose test would have to pass to properly fix the issue: diff --git a/test/xain_test.exs b/test/xain_test.exs
index d82257e..fb4e76c 100644
--- a/test/xain_test.exs
+++ b/test/xain_test.exs
@@ -31,6 +31,13 @@ defmodule XainTest do
assert result == "<div class=\"test\"></div>"
end
+ test "escapes attributes" do
+ result = markup do
+ div class: "test\"><script>alert(1);</script>"
+ end
+ assert result == "<div class=\"test"><script>alert(1);</script>\"></div>"
+ end
+
test "attributes with do" do
result = markup do
div class: "test" do
@@ -40,6 +47,15 @@ defmodule XainTest do
assert result == "<div class=\"test\"><span></span></div>"
end
+ test "escapes attributes with do" do
+ result = markup do
+ div class: "test\"><script>alert(1);</script>" do
+ span()
+ end
+ end
+ assert result == "<div class=\"test"><script>alert(1);</script>\"></div>"
+ end
+
test "contents" do
result = markup do
div "test"
@@ -47,6 +63,13 @@ defmodule XainTest do
assert result == "<div>test</div>"
end
+ test "escapes contents" do
+ result = markup do
+ div "<script>alert(1);</script>"
+ end
+ assert result == "<div><script>alert(1);</script></div>"
+ end
+
test "creates an a" do
result = markup do
a href: "/"ContactYou can reach me on GitHub (@maennchen) and via Email ([email protected]). |
|
@smpallen99 Are you abandoning us? I agree with the author that this is urgent. He supplied a PR. Please take a look. I don't want to be rude to just come along and ask of your time, but someone has to merge or decline it. |
|
@smpallen99 Thanks for merging the PR. Could you also release a new version and retire the old versions? mix hex.retire xain 0.6.1 security --message "XSS Vulnerability (see https://github.com/smpallen99/xain/issues/18)"
mix hex.retire xain 0.6.0 security --message "XSS Vulnerability (see https://github.com/smpallen99/xain/issues/18)"
mix hex.retire xain 0.5.3 security --message "XSS Vulnerability (see https://github.com/smpallen99/xain/issues/18)"
mix hex.retire xain 0.5.2 security --message "XSS Vulnerability (see https://github.com/smpallen99/xain/issues/18)" |
|
Yes, I'll try to get this done later today. |
|
Done |
|
This has been reported to the CVE Database. (Even though their description doesn't really make a lot of sense since this library does not handle any query parameters directly.) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20302 |
Since I haven't found your email, I encrypted the following report using your public keys on GitHub. If you have problems reading this message please contact me either here or via
jonatan [at] maennchen.ch.Message
Encrypted
Encrypted Keys
Decryption
openssl rsautl -decrypt -ssl -inkey ~/.ssh/id_rsa -in secret.txt.key.enc -out secret.txt.key gpg -d --pinentry-mode loopback --passphrase-file ./secret.txt.key --armor [MESSAGE]Responsible Disclosure
After the time for responsible disclosure has passed, I'll comment the password for the message here.
EDIT: I have some additional information, please contact me before you fix anything.
The text was updated successfully, but these errors were encountered: