Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: Vulnerable outdated javascript libraries in consul/ui/javascripts/libs/ #3733

Closed
sechawk opened this issue Dec 9, 2017 · 1 comment
Closed
Labels
archived/webui This was used for v1/ui
Milestone

Comments

@sechawk
Copy link

sechawk commented Dec 9, 2017

ember-1-10.js , ember-template-compiler.js -> CVE-2015-7565

jquery-1.10.2.min.js
"jquery/jquery#2432",
"http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
"http://research.insecurelabs.org/jquery/test/

handlebars-1.3.0.min.js
handlebars-lang/handlebars.js#1083"

Note - I haven't done any in-depth assessment if these are actually exploitable in the way they are consumed in consul, however it's never great practice to use old outdated libraries with publicly known vulnerabilities.

@slackpad slackpad added security archived/webui This was used for v1/ui labels Dec 21, 2017
@slackpad slackpad added this to the 1.0.3 milestone Dec 21, 2017
@slackpad
Copy link
Contributor

slackpad commented Dec 21, 2017

Hi @sechawk we are in the process of doing a full rewrite of the Consul UI based on up-to-date versions of all the libraries (which we will track for security updates), and the current libraries are old and difficult to quickly patch / update.

As a stop-gap I audited the code for these issues and it looks like Consul is OK with respect to these (after one patch):

ember-1-10.js

  1. CVE-2015-7565

    Audited the Handlebars templates and all are primitive values. Experimented with some JS-like objects with string properties as a cross-check and they were properly escaped.

jquery-1.10.2.min.js

  1. jQuery issue 2432 - 3rd party $.get() auto executes if content type is text/javascript

    Consul doesn't pull any 3rd party resources, nor pull resources based on user data.

  2. jQuery issue 11974 - parseHTML executes inline scripts like event handlers

    Verified that the parseHTML call isn't used in Consul's UI code.

handlebars-1.3.0.min.js

  1. Adding a few more badcharacters handlebars-lang/handlebars.js#1083"

    Manually patched the = escape fix under Patches handlebars JS to escape = to prevent XSS. #3763.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
archived/webui This was used for v1/ui
Projects
None yet
Development

No branches or pull requests

2 participants