search

Smashing / smashing

The exceptionally handsome dashboard framework in Ruby and Coffeescript.
https://smashing.github.io/
MIT License
3.22k stars 324 forks source link

Escape widget error message #186

Closed gebhardtr closed 3 years ago

gebhardtr commented 3 years ago

To test, visit:

http://localhost:3030/views/number<h1>.html
kinow commented 3 years ago

@gebhardtr looks like it's rack-test that's unhappy with the URL in the get call. I've applied the suggestion from this issue and it fixed the build on this PR.

Also confirmed that the test with this change, in the master branch was failing.

Minitest::Assertion: --- expected
+++ actual
@@ -1,2 +1 @@
-# encoding: ASCII-8BIT
-"Drats! Unable to find a widget file named: nowidget-<h1> to render."
+"Drats! Unable to find a widget file named: nowidget-&lt;h1&gt; to render."

Let me know if you agree with the fix. Also, I'll prepare a release once it's merged, and will incldue this as a security bug. Let me know if you are OK with your name appearing as reporter for the bug :)

Thanks! Bruno

gebhardtr commented 3 years ago

Absolutely! Thank you very much, @kinow.

kinow commented 3 years ago

Fix released.

The easiest way to exploit this issue is probably by sending a malicious URL to someone with access to the dashboard. That way the executed code could be used to run malicious JS in Smashing that could be used to steal session cookies or other sensitive data.

Most browsers protect against attacks like this, but there is no guarantee a browser or extension would prevent it. However, secure cookies, and cookies in other domains would not leak to this session, making it harder for an attacker to steal them.

I think the risk is greater if the dashboard is running on localhost for development, or maybe in a subdomain like dashboards.domain.com, and somehow there are cookies from domain.com available to the session.

Thanks again for reporting it @gebhardtr . CVE-2021-35440 will be updated and published soon.

Bruno