[CVE-2015-1840] CSRF Vulnerability in jquery-ujs and jquery-rails
3,271 views
Skip to first unread message
Aaron Patterson
Jun 16, 2015, 2:05:05 PM6/16/15
to secu...@suse.de, rubyonrail...@googlegroups.com, oss-se...@lists.openwall.com, ruby-sec...@googlegroups.com
CSRF Vulnerability in jquery-ujs and jquery-rails
There is an vulnerability in jquery-ujs and jquery-rails that can be used to
bypass CSP protections and allows attackers to send CSRF tokens to attacker domains.
This vulnerability has been assigned the CVE identifier CVE-2015-1840.
Versions Affected: All.
Not affected: Applications which don't use jquery-ujs or jquery-rails.
Fixed Versions: jquery-rails versions 4.0.4 and 3.1.3 and jquery-ujs 1.0.4.
Impact
------
In the scenario where an attacker might be able to control the href attribute of an anchor tag or
the action attribute of a form tag that will trigger a POST action, the attacker can set the
href or action to " https://attacker.com" (note the leading space) that will be passed to JQuery,
who will see this as a same origin request, and send the user's CSRF token to the attacker domain.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
To work around this problem, change code that allows users to control the href attribute of an anchor
tag or the action attribute of a form tag to filter the user parameters.
For example, code like this:
link_to params
to code like this:
link_to filtered_params
def filtered_params
# Filter just the parameters that you trust
end
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the
supported release series. They are in git-am format and consist of a single changeset.
* 1-0-3-jquery_ujs_csrf.patch - Patch for jquery-ujs 1.0.3.
* 3-1-2-jquery-rails-csrf.patch - Patch for jquery-rails 3.1.2.
* 4-0-3-jquery-rails-csrf.patch - Patch for jquery-rails 4.0.3.
Credits
-------
Thanks to Ben Toews of GitHub for reporting the vulnerability to us, and working with us on a fix.
--
Aaron Patterson
http://tenderlovemaking.com/
There is an vulnerability in jquery-ujs and jquery-rails that can be used to
bypass CSP protections and allows attackers to send CSRF tokens to attacker domains.
This vulnerability has been assigned the CVE identifier CVE-2015-1840.
Versions Affected: All.
Not affected: Applications which don't use jquery-ujs or jquery-rails.
Fixed Versions: jquery-rails versions 4.0.4 and 3.1.3 and jquery-ujs 1.0.4.
Impact
------
In the scenario where an attacker might be able to control the href attribute of an anchor tag or
the action attribute of a form tag that will trigger a POST action, the attacker can set the
href or action to " https://attacker.com" (note the leading space) that will be passed to JQuery,
who will see this as a same origin request, and send the user's CSRF token to the attacker domain.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
To work around this problem, change code that allows users to control the href attribute of an anchor
tag or the action attribute of a form tag to filter the user parameters.
For example, code like this:
link_to params
to code like this:
link_to filtered_params
def filtered_params
# Filter just the parameters that you trust
end
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the
supported release series. They are in git-am format and consist of a single changeset.
* 1-0-3-jquery_ujs_csrf.patch - Patch for jquery-ujs 1.0.3.
* 3-1-2-jquery-rails-csrf.patch - Patch for jquery-rails 3.1.2.
* 4-0-3-jquery-rails-csrf.patch - Patch for jquery-rails 4.0.3.
Credits
-------
Thanks to Ben Toews of GitHub for reporting the vulnerability to us, and working with us on a fix.
--
Aaron Patterson
http://tenderlovemaking.com/
Reply all
Reply to author
Forward
0 new messages