search

googlearchive / caja

Caja is a tool for safely embedding third party HTML, CSS and JavaScript in your website.
Apache License 2.0
1.13k stars 113 forks source link

Html.Exploit.CVE_2016_3198-1 #2014

Open qLb opened 7 years ago

qLb commented 7 years ago

Yesterday i scaned whole bunch of archives (unpacked) for sec issues with clamav and guess what it found?

Html.Exploit.CVE_2016_3198-1 FOUND: bower_components/google-caja/ses-single-frame.js

infected package's bower.json shows:

{
  "description": "Google Caja HTML Sanitizer",
  "homepage": "https://github.com/minrk/google-caja-bower",
  "ignore": [
    "git-svn-revision",
    "tasks.py"
  ],
  "keywords": [
    "sanitization"
  ],
  "license": "Apache 2.0",
  "name": "google-caja",
  "version": "6005.0.0"
}

false positive?

metaweta commented 7 years ago

Yes; please report it here: https://www.clamav.net/reports/fp

On Sat, Dec 10, 2016 at 11:48 AM, qLb notifications@github.com wrote:

Yesterday i scaned whole bunch of archives (unpacked) for sec issues with clamav and guess what it found?

Html.Exploit.CVE_2016_3198-1 FOUND: bower_components/google-caja/ses-single-frame.js

infected package's bower.json shows:

{ "description": "Google Caja HTML Sanitizer", "homepage": "https://github.com/minrk/google-caja-bower", "ignore": [ "git-svn-revision", "tasks.py" ], "keywords": [ "sanitization" ], "license": "Apache 2.0", "name": "google-caja", "version": "6005.0.0" }

false positive?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/google/caja/issues/2014, or mute the thread https://github.com/notifications/unsubscribe-auth/AA0V-CjCj0fiy20BEF0iqGI0iG9SZKAjks5rGvQOgaJpZM4LJula .

-- Mike Stay - metaweta@gmail.com http://www.cs.auckland.ac.nz/~mike http://reperiendi.wordpress.com