Skip to content
This repository has been archived by the owner on Oct 8, 2021. It is now read-only.

Security issues #8640

Open
jupenur opened this issue Dec 1, 2018 · 18 comments
Open

Security issues #8640

jupenur opened this issue Dec 1, 2018 · 18 comments

Comments

@jupenur
Copy link

jupenur commented Dec 1, 2018

We've found major security issues affecting all versions of jQuery Mobile. How can I contact you privately?

(Please consider adding security contact info to jquery.com and jquerymobile.com)

@arschmitz
Copy link
Contributor

please email me directly my email is on profile

@jupenur
Copy link
Author

jupenur commented Dec 2, 2018

Thanks. I'll close this ticket and continue in email.

@jupenur jupenur closed this as completed Dec 2, 2018
@jupenur
Copy link
Author

jupenur commented Dec 21, 2018

Reopening, since it seems my emails aren't reaching anyone.

@jupenur jupenur reopened this Dec 21, 2018
@jupenur
Copy link
Author

jupenur commented Jan 22, 2019

Hey @arschmitz sorry to bug you, but I now have randos messaging me on LinkedIn asking for an exploit. If you got my email, can you please respond to it so I can close this ticket?

@jupenur
Copy link
Author

jupenur commented Feb 1, 2019

Since we've been unable to get a response from you, we're forced to set a deadline for public disclosure. That deadline is in 90 days, counting from today. I've emailed you with a longer explanation.

@marcus-hiles
Copy link

@jupenur sorry your emails are not going through to him, but cool it aight. We all use jquery so disclosing whatever you have found to the public might give hackers another weapon in their arsenal. And they can cause harm with it. You can try emailing the founder(John Resig) of jquery here jeresig@gmail.com or tweet him twitter.com/jeresig
Or you can get in touch with me here https://marcus-hiles.com/ . I enjoy development and we could do great stuffs.

@githubetc
Copy link

githubetc commented Mar 26, 2019

It has been months since @jupenur disclosed a possible security issue.
Has anyone from the jquery mobile team responded to @jupenur at all ?

If this security problem is difficult to patch then we have to start porting our code out to another web interface.

It is a royal pain, but better than getting hacked !

@githubetc
Copy link

It is about 90 days after 2-Feb-19 now, what's happening ?
Anyone know about anything these security issues they can share ?

FYI, a discussion on this topic I have started on jQuery Forum:
http://forum.jquery.com/topic/jquery-mobile-security-issue

@jupenur
Copy link
Author

jupenur commented May 2, 2019

Replying here, since the forum doesn't seem to let me log in.

Probably a false alarm.

I would guess it was BS.

I'm sorry to say this is not a false alarm, and certainly not BS. The vulnerability has been verified by @arschmitz. The issue is lack of resources, i.e. an active development team, on the jQuery side.

adding more checking on the servers

This is a Cross-Site Scripting vulnerability affecting the framework directly. There are no easy mitigations available, and additional server-side validation does not help here. Up-to-date versions of JQM are slightly less vulnerable, so consider upgrading to the latest release if possible.

Just waiting for that 90 days after 2-Feb-19 public disclosure by him now.

Public disclosure is probably coming in a couple of weeks, however right now I'm on PTO and don't have a proper internet connection or access to my work email.

So yes, public disclosure is coming eventually, this is just a slight delay because of unrelated things IRL.

If this security problem is difficult to patch then we have to start porting our code out to another web interface.

This would be a good idea. Patching is non-trivial and the project is effectively dead.

@jupenur
Copy link
Author

jupenur commented May 4, 2019

Full details here.

@dryabov
Copy link
Contributor

dryabov commented May 4, 2019

@jupenur So, it should be sufficient to do a test like

if (!/^text\/html/.test(xhr.getResponseHeader('Content-Type'))) {
    return;
}

before this._parse in _loadSuccess to get rid of this vulnerability, isn't it?

@jupenur
Copy link
Author

jupenur commented May 4, 2019

@dryabov Sounds about right, yes, but don't take my word for it. I'm not an expert on JQM internals.

@dryabov
Copy link
Contributor

dryabov commented May 4, 2019

@jupenur OK, thank you!

PS. I've slightly modified my patch to take into account that getResponseHeader returns null if Content-Type header is not set.

PPS. Anyone welcome to make a pull request, otherwise I'll do it on Monday after few tests.

dryabov added a commit to dryabov/jquery-mobile that referenced this issue May 6, 2019
@dryabov
Copy link
Contributor

dryabov commented May 6, 2019

OK, the patch is here.

PS. Original example from above gist doesn't work with jQueryMobile 1.4.5, but it is sufficient to modify it slightly to make it working.

@githubetc
Copy link

OK, the patch is here.

Thanks @dryabov for providing a patch so quickly.
Much appreciated.

dryabov added a commit to dryabov/jquery-mobile that referenced this issue May 6, 2019
Fixed "Broken URL parsing" issue mentioned in issue jquery-archive#8640 [details: 1) empty username or password are allowed, 2) colon in password is allowed]
@dryabov
Copy link
Contributor

dryabov commented May 6, 2019

The "Broken URL parsing" is fixed as well.

@coliff
Copy link

coliff commented Jun 12, 2019

will anyone merge the PRs though? There haven't been any PRs merged since 2017... :-(

apsdehal pushed a commit that referenced this issue Jun 13, 2019
apsdehal pushed a commit that referenced this issue Jun 13, 2019
* Fixed issue in URL parsing

Fixed "Broken URL parsing" issue mentioned in issue #8640 [details: 1) empty username or password are allowed, 2) colon in password is allowed]

* Handle forward and back slashes identically

To avoid incorrect parsing of URL like `http://evil.domain\@good.domain/

* addendum to "Handle forward and back slashes identically"

One slash has been missed
@Lonzak
Copy link

Lonzak commented Jan 25, 2021

And has the fix been applied? I fear not....Project's most probably dead...

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants