Open spixi opened 1 month ago
As mentioned by @maxgubler, this is a duplicate of #3129. See that issue for a work-around. It is resolved in v4 (now out in beta).
Thanks, @spixi, for reporting this and documenting the situation so thoroughly.
A project I contribute to received an issue comment from GitHub user https://github.com/simul on Friday, June 7, that was almost identical—if not completely identical—to the one shown in the screenshot in this issue description. When viewing the issue page, the viewport was immediately "taken over" by a full-screen image (it was a flashing image of a Discord URL).
I used curl
to download the issue page and found the problematic comment. Someone (I assume, one of the project maintainers) has since deleted it from the issue page, but I still have the curl output. Here is the offending comment — in HTML format — copied from the curl output, for reference:
<p dir="auto">sup</p>
<math-renderer class="js-display-math" style="display: block" data-static-url="https://github.githubassets.com/static" data-run-id="5287bd6428aa015df40f3018f5f9dcc0">$$\ce{$\unicode[goombafont; color:red; pointer-events: none; z-index: 5; position: fixed; inset: 0; opacity: 100%; background-size: 100% 100%; background-image: url('https://github.com/Roblox/t/assets/106361566/b3306f20-57e8-449d-95f7-0ec0597b4e7e');]{x0000}$}$$</math-renderer>
Do any of you know whether this issue has been reported to GitHub, Inc.? I am wondering whether they are aware of it as it may motivate them to upgrade to MathJax v4 (i.e. the version of MathJax that contains the fix).
I believe that the GitHub folk are aware of it. I observed the exploit in comments on two issues on the microsoft/vscode repo. One of the Issues had beef created by a core team member, a Microsoft employee. I emailed to alert him. Shortly afterwards the comment on his issue got hidden as abuse. The one on the other issue remained in hidden but was now defanged and accompanied by a notification that the \unicode
clause it contained was not permitted to apply.
@eecavanna
A project I contribute to received an issue comment from GitHub user ... on Friday, June 7, that was almost identical—if not completely identical—to the one shown in the screenshot in this issue description. When viewing the issue page, the viewport was immediately "taken over" by a full-screen image (it was a flashing image of a Discord URL).
Yes, it was exactly the same code with the same flashing GIF image. I reported the user for "Active Malware or Exploits" and it seems they already have deleted the user simulified. The organization simul has nothing to do with this.
Note that the original issue #3129 includes a v3 configuration that fixes the issue, so GitHub (and anyone else) could use that if they are not prepared to move to v4.
Issue Summary
The
\unicode{}
macro can be abused to load external resources using the CSS attributebackground-image
(and possible also other CSS atributes) with theurl()
function.Steps to Reproduce:
A certain GitHub user page shows an inappropiate image upon opening their profile. In the following screenshot I stopped it before rendering.![Screenshot_20240608_031622_Chrome](https://github.com/mathjax/MathJax/assets/3192596/608efd3e-789c-4798-bbf2-2d5517bc7e56)
The user also used the exploit in comments to GitHub issues like https://github.com/wesnoth/wesnoth/issues/8964
The exploit can be also found in that users profile here: https://raw.githubusercontent.com/*username*/*username*/main/README.md
The URL in that script appears to be a
github.com
URL, but actually redirects to agithub-production-user-asset-6210df.s3.amazonaws.com
URL.The background image is automatically loaded from an external source, specified by the attacker. This may endanger the user's privacy and in the worst case also could be abused to prepare other attacks, e. g. by stealing session tokens, clickjacking or phishing.
This also may be exploitable with other CSS attributes like
src
in a@font-face
rule.This vulnerability may be related to CVE-2018-1999024
Any other information you want to share that is relevant to the issue being reported. Especially, why do you consider this to be a bug? What do you expect to happen instead?
Technical details:
I am using the following MathJax configuration:
(unknown)
and loading MathJax via
(unknown)
Supporting information:
see screenshot