Security issues

[jupenur]

We've found major security issues affecting all versions of jQuery Mobile. How can I contact you privately?

(Please consider adding security contact info to jquery.com and jquerymobile.com)

[arschmitz]

please email me directly my email is on profile

[jupenur]

Thanks. I'll close this ticket and continue in email.

[jupenur]

Reopening, since it seems my emails aren't reaching anyone.

[jupenur]

Hey @arschmitz sorry to bug you, but I now have randos messaging me on LinkedIn asking for an exploit. If you got my email, can you please respond to it so I can close this ticket?

[jupenur]

Since we've been unable to get a response from you, we're forced to set a deadline for public disclosure. That deadline is in 90 days, counting from today. I've emailed you with a longer explanation.

[marcus-hiles]

@jupenur sorry your emails are not going through to him, but cool it aight. We all use jquery so disclosing whatever you have found to the public might give hackers another weapon in their arsenal. And they can cause harm with it. You can try emailing the founder(John Resig) of jquery here jeresig@gmail.com or tweet him twitter.com/jeresig Or you can get in touch with me here https://marcus-hiles.com/ . I enjoy development and we could do great stuffs.

[githubetc]

It has been months since @jupenur disclosed a possible security issue. Has anyone from the jquery mobile team responded to @jupenur at all ?

If this security problem is difficult to patch then we have to start porting our code out to another web interface.

It is a royal pain, but better than getting hacked !

[githubetc]

It is about 90 days after 2-Feb-19 now, what's happening ? Anyone know about anything these security issues they can share ?

FYI, a discussion on this topic I have started on jQuery Forum: http://forum.jquery.com/topic/jquery-mobile-security-issue

[jupenur]

Replying here, since the forum doesn't seem to let me log in.

Probably a false alarm.

I would guess it was BS.

I'm sorry to say this is not a false alarm, and certainly not BS. The vulnerability has been verified by @arschmitz. The issue is lack of resources, i.e. an active development team, on the jQuery side.

adding more checking on the servers

This is a Cross-Site Scripting vulnerability affecting the framework directly. There are no easy mitigations available, and additional server-side validation does not help here. Up-to-date versions of JQM are slightly less vulnerable, so consider upgrading to the latest release if possible.

Just waiting for that 90 days after 2-Feb-19 public disclosure by him now.

Public disclosure is probably coming in a couple of weeks, however right now I'm on PTO and don't have a proper internet connection or access to my work email.

So yes, public disclosure is coming eventually, this is just a slight delay because of unrelated things IRL.

If this security problem is difficult to patch then we have to start porting our code out to another web interface.

This would be a good idea. Patching is non-trivial and the project is effectively dead.

[jupenur]

Full details here.

[dryabov]

@jupenur So, it should be sufficient to do a test like

if (!/^text\/html/.test(xhr.getResponseHeader('Content-Type'))) {
    return;
}

before this._parse in _loadSuccess to get rid of this vulnerability, isn't it?

[jupenur]

@dryabov Sounds about right, yes, but don't take my word for it. I'm not an expert on JQM internals.

[dryabov]

@jupenur OK, thank you!

PS. I've slightly modified my patch to take into account that getResponseHeader returns null if Content-Type header is not set.

PPS. Anyone welcome to make a pull request, otherwise I'll do it on Monday after few tests.

[dryabov]

OK, the patch is here.

PS. Original example from above gist doesn't work with jQueryMobile 1.4.5, but it is sufficient to modify it slightly to make it working.

[githubetc]

OK, the patch is here.

Thanks @dryabov for providing a patch so quickly. Much appreciated.

[dryabov]

The "Broken URL parsing" is fixed as well.

[coliff]

will anyone merge the PRs though? There haven't been any PRs merged since 2017... :-(

[Lonzak]

And has the fix been applied? I fear not....Project's most probably dead...