Security issues #8640
Comments
|
please email me directly my email is on profile |
|
Thanks. I'll close this ticket and continue in email. |
|
Reopening, since it seems my emails aren't reaching anyone. |
|
Hey @arschmitz sorry to bug you, but I now have randos messaging me on LinkedIn asking for an exploit. If you got my email, can you please respond to it so I can close this ticket? |
|
Since we've been unable to get a response from you, we're forced to set a deadline for public disclosure. That deadline is in 90 days, counting from today. I've emailed you with a longer explanation. |
|
@jupenur sorry your emails are not going through to him, but cool it aight. We all use jquery so disclosing whatever you have found to the public might give hackers another weapon in their arsenal. And they can cause harm with it. You can try emailing the founder(John Resig) of jquery here [email protected] or tweet him twitter.com/jeresig |
|
It has been months since @jupenur disclosed a possible security issue. If this security problem is difficult to patch then we have to start porting our code out to another web interface. It is a royal pain, but better than getting hacked ! |
|
It is about 90 days after 2-Feb-19 now, what's happening ? FYI, a discussion on this topic I have started on jQuery Forum: |
|
Replying here, since the forum doesn't seem to let me log in.
I'm sorry to say this is not a false alarm, and certainly not BS. The vulnerability has been verified by @arschmitz. The issue is lack of resources, i.e. an active development team, on the jQuery side.
This is a Cross-Site Scripting vulnerability affecting the framework directly. There are no easy mitigations available, and additional server-side validation does not help here. Up-to-date versions of JQM are slightly less vulnerable, so consider upgrading to the latest release if possible.
Public disclosure is probably coming in a couple of weeks, however right now I'm on PTO and don't have a proper internet connection or access to my work email. So yes, public disclosure is coming eventually, this is just a slight delay because of unrelated things IRL.
This would be a good idea. Patching is non-trivial and the project is effectively dead. |
|
Full details here. |
|
@jupenur So, it should be sufficient to do a test like before |
|
@dryabov Sounds about right, yes, but don't take my word for it. I'm not an expert on JQM internals. |
|
@jupenur OK, thank you! PS. I've slightly modified my patch to take into account that getResponseHeader returns null if Content-Type header is not set. PPS. Anyone welcome to make a pull request, otherwise I'll do it on Monday after few tests. |
Fix for issue jquery-archive#8640 (possible XSS vulnerability)
|
OK, the patch is here. PS. Original example from above gist doesn't work with jQueryMobile 1.4.5, but it is sufficient to modify it slightly to make it working. |
Thanks @dryabov for providing a patch so quickly. |
Fixed "Broken URL parsing" issue mentioned in issue jquery-archive#8640 [details: 1) empty username or password are allowed, 2) colon in password is allowed]
|
The "Broken URL parsing" is fixed as well. |
|
will anyone merge the PRs though? There haven't been any PRs merged since 2017... :-( |
Fix for issue #8640 (possible XSS vulnerability)
* Fixed issue in URL parsing Fixed "Broken URL parsing" issue mentioned in issue #8640 [details: 1) empty username or password are allowed, 2) colon in password is allowed] * Handle forward and back slashes identically To avoid incorrect parsing of URL like `http://evil.domain\@good.domain/ * addendum to "Handle forward and back slashes identically" One slash has been missed
|
And has the fix been applied? I fear not....Project's most probably dead... |
We've found major security issues affecting all versions of jQuery Mobile. How can I contact you privately?
(Please consider adding security contact info to jquery.com and jquerymobile.com)
The text was updated successfully, but these errors were encountered: