Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Fix for Cross-site Scripting (XSS) - huntr.dev #586

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

huntr-helper
Copy link

https://huntr.dev/users/Mik317 has fixed the Cross-site Scripting (XSS) vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue URL | #464
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/form/1/README.md

User Comments:

📊 Metadata *

Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker.

Bounty URL: https://www.huntr.dev/bounties/1-npm-form

⚙️ Description *

The form library suffered of a XSS issue, which was caused by 2 minor issues inside the code, which made possible the usage of eval on unsanitized values (inside the "override" of parseJSON) and html parsing on a unsanitized AJAX response.

💻 Technical Description *

The 2 issues have been fixed in the following way:

  • The eval inside the parseJSON function has been removed, while it's been added a error which arises when the default $.parseJSON function (on jquery) isn't declared (anyone with good intentions would simply add the jquery script on the page and all works correctly again).

  • The unsanitized AJAX response was previously passed to parseHTML without any check, making possible inject additional HTML. I used a peculiarity of jquery to translate the HTML nodes evaluated into text nodes, which are equal to HTML encoded entities (can be verified seeing this:
    Screenshot from 2020-07-31 01-23-33)

🐛 Proof of Concept (PoC) *

No PoC was provided, so I worked mostly theoretically on the issue/lines identified by the 2 issues in the original repo

🔥 Proof of Fix (PoF) *

Theoretical fix 😄

👍 User Acceptance Testing (UAT)

Can't be sure of this but seems all OK (nodes are still nodes of different type and a function is null --> arises exception due to a function undefined)

@brettz9
Copy link

brettz9 commented Jan 26, 2021

Could we get this high severity XSS vulnerability security bug looked at?

wincent added a commit to liferay/liferay-frontend-projects that referenced this pull request Feb 8, 2021
Applies the suggested fix that is sitting in an unmerged PR on the
upstream repo:

jquery-form/form#586
@brettz9
Copy link

brettz9 commented Jun 29, 2021

If the project is abandoned, please let us know, but if not, it's coming close to a year for a couple lines fix for a security bug... Thanks!

@covalesj
Copy link

Just a ping on this -- its a high vuln, with a fix, can someone with writeaccess merge this in?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants