Latest YouTube Video

Thursday, December 1, 2016

[FD] XSS in tooltip plugin of Zurb Foundation 5

XSS vulnerabilty in the tooltip plugin of Zurb Foundation 5.x ============================================================= URL to this advisory: http://ift.tt/2g14tPP Vendor ====== http://zurb.com/ Product ======= (Taken from http://ift.tt/1NJf52K) Foundation is the most advanced, responsive front-end framework in the world. The framework is mobile friendly and ready for you to customize it any way you want to use it. Vulnerability Type ================== Cross-Site-Scripting Vulnerability CVE Reference ============= N/A Vulnerability Details ===================== The Foundation framework provides an easy way to insert tooltips into your code. The corresponding plugin for this is *foundation.tooltip.js*. Unfortunately the plugin takes HTML-encoded code from the title parameter and returns it as actual HTML, allowing an attacker to inject dynamic HTML/JS into an application, if the application allows to inject user input into title fields of a tooltip'ed SPAN entity. Even if the user input is correctly encoded, before adding it to the tooltip'ed SPAN, the Foundation Tooltip JavaScript will re-decode it and inject the actul HTML code. Example code ============ This code snippet shows a simple HTML page with encoded HTML in a tooltip, utilizing the Foundation JS plugin. This is a tooltip'ed SPAN When opened in a browser, the encoded HTML from the title-parameter in line 12 will be grabbed by the tooltip plugin and re-decoded to plain HTML in the output, causing the JavaScript to be injected into the page. A JavaScript alert window will pop up. Quick fix/Workaround ==================== The problem lies in line 197 of *foundation.tooltip.js*: var $tip = $(tip_template(this.selector($target), $('').html($target.attr('title')).html())), classes = this.inheritable_classes($target); The title attribute is read and provided as HTML without any sanitization. As a quick fix, one could use the .text() function of jQuery to sanitize the read value from the title attribute. This might not be a full fix for the issue, but at least worked in my examples. Here is a diff for quick patching:

Source: Gmail -> IFTTT-> Blogger

No comments: