form icon indicating copy to clipboard operation
form copied to clipboard
verified publisher icon jquery-form

Security Fix for Cross-site Scripting (XSS) - huntr.dev

Open huntr-helper opened this issue 5 years ago • 3 comments

https://huntr.dev/users/Mik317 has fixed the Cross-site Scripting (XSS) vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/form/pull/1 GitHub Issue URL | https://github.com/jquery-form/form/issues/464 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/form/1/README.md

User Comments:

📊 Metadata *

Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker.

Bounty URL: https://www.huntr.dev/bounties/1-npm-form

⚙️ Description *

The form library suffered of a XSS issue, which was caused by 2 minor issues inside the code, which made possible the usage of eval on unsanitized values (inside the "override" of parseJSON) and html parsing on a unsanitized AJAX response.

💻 Technical Description *

The 2 issues have been fixed in the following way:

  • The eval inside the parseJSON function has been removed, while it's been added a error which arises when the default $.parseJSON function (on jquery) isn't declared (anyone with good intentions would simply add the jquery script on the page and all works correctly again).

  • The unsanitized AJAX response was previously passed to parseHTML without any check, making possible inject additional HTML. I used a peculiarity of jquery to translate the HTML nodes evaluated into text nodes, which are equal to HTML encoded entities (can be verified seeing this: Screenshot from 2020-07-31 01-23-33)

🐛 Proof of Concept (PoC) *

No PoC was provided, so I worked mostly theoretically on the issue/lines identified by the 2 issues in the original repo

🔥 Proof of Fix (PoF) *

Theoretical fix :smile:

👍 User Acceptance Testing (UAT)

Can't be sure of this but seems all OK (nodes are still nodes of different type and a function is null --> arises exception due to a function undefined)

huntr-helper avatar Aug 10 '20 09:08 huntr-helper

Could we get this high severity XSS vulnerability security bug looked at?

brettz9 avatar Jan 26 '21 23:01 brettz9

If the project is abandoned, please let us know, but if not, it's coming close to a year for a couple lines fix for a security bug... Thanks!

brettz9 avatar Jun 29 '21 13:06 brettz9

Just a ping on this -- its a high vuln, with a fix, can someone with writeaccess merge this in?

covalesj avatar Apr 21 '23 11:04 covalesj