3rd party CORS request may execute CVE-2015-9251

[jhaar]

Hi there

I just installed "retire.js" - a Chrome plugin that will show up a range of vulnerabilities in JS used on websites you go to. I went to our graylog-2.4.5 server and it showed up two vulnerabilities. I haven't tested them so I don't know how real they are - but I thought it prudent to let you know

bootstrap 3.3.7 Found in https://....../assets/app.d62de657b1bfcd25ec80.js Vulnerability info: Medium 20184 XSS in data-target attribute

jquery 2.1.4 Found in https://...../assets/vendor.552834c48b86209e305c.js Vulnerability info: Medium 2432 3rd party CORS request may execute CVE-2015-9251 Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers

I think you already have a ticket open for the bootstrap one (you're waiting on 4.0 to be released I think), but the jquery one might be of interest. The were links to the jqeury issue as follows:

• https://github.com/jquery/jquery/issues/2432
• http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
• http://research.insecurelabs.org/jquery/test/
• https://bugs.jquery.com/ticket/11974

Your Environment

• Graylog Version: 2.4.5
• Elasticsearch Version: elasticsearch-5.6.8-1.noarch
• MongoDB Version: mongodb-2.6.12-6.el7.x86_64
• Operating System: centos-7 (all apps via yum repos)
• Browser version: Chrome 67

[joschi]

Refs #4603

[jhaar]

yes that's the bootstrap reference I meant. I don't think the jquery one is related?

[edmundoa]

Thank you for the heads up @jhaar!

Regarding bootstrap, we are waiting for version 3.4 to be released. There's unfortunately little progress on that, and I'm not even sure if that will happen, but we will have a fix for the XSS issue in Graylog 3.0 even if we have to build our own patched version. Upgrading to bootstrap 4 is for now out of the table, since it introduced lots of breaking changes.

We already upgraded jQuery on the branch we use for the next Graylog version, as you can see in #4507.

[jhaar]

All good then :-)

[joschi]

I'm closing this issue because both issues have been already addressed (#4603 and #4507).

[raghav-axero]

I created two samples to demonstrate the issue:

jQuery 2.1.3: https://jsfiddle.net/raghav_khunger/1yn9rquz/10/

jQuery 3.3.1: https://jsfiddle.net/raghav_khunger/1yn9rquz/9/

In the 3.3.X version, you will not see any alert (JS code being executed).

[akshdeep1232]

Bro this code will work for jquery 1.12.4?? Can u pls tell.