You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CEP extensions have full access to the file system and can run arbitrary applications. Given this kind of privileges, it might be a good idea to take security seriously. So it’s rather counterproductive that the RSSReader sample has a Remote Code Execution vulnerability that could, if somebody actually used that extension, allow a malicious website to take over the user’s system.
item.title is untrusted data, coming from an RSS feed on a potentially malicious website. Here it is being inserted into HTML code without any sanitization, so a malicious title like Malicious<script>cep.process.createProcess(["c:\\windows\\system32\\calc.exe"]);</script> should be able to run the calculator application (untested, might need minor modifications to actually work).
Properly sanitizing RSS data is actually not trivial. I see however that RSS post contents are inserted via a Mustache template, with escaping on. So I guess that correct functioning isn’t the goal here, and maybe the post title could be escaped here in the same way.
On a more general note, using jQuery encourages this kind of vulnerabilities. So maybe the samples shouldn’t use a framework, or they should at least use a framework that doesn’t immediately produce security vulnerabilities if not used carefully.
The text was updated successfully, but these errors were encountered:
CEP extensions have full access to the file system and can run arbitrary applications. Given this kind of privileges, it might be a good idea to take security seriously. So it’s rather counterproductive that the RSSReader sample has a Remote Code Execution vulnerability that could, if somebody actually used that extension, allow a malicious website to take over the user’s system.
The issue is in this line:
Samples/RSSReader/js/main.js
Line 85 in 2cd368a
item.titleis untrusted data, coming from an RSS feed on a potentially malicious website. Here it is being inserted into HTML code without any sanitization, so a malicious title likeMalicious<script>cep.process.createProcess(["c:\\windows\\system32\\calc.exe"]);</script>should be able to run the calculator application (untested, might need minor modifications to actually work).Properly sanitizing RSS data is actually not trivial. I see however that RSS post contents are inserted via a Mustache template, with escaping on. So I guess that correct functioning isn’t the goal here, and maybe the post title could be escaped here in the same way.
On a more general note, using jQuery encourages this kind of vulnerabilities. So maybe the samples shouldn’t use a framework, or they should at least use a framework that doesn’t immediately produce security vulnerabilities if not used carefully.
The text was updated successfully, but these errors were encountered: