security risk
23 views
Skip to first unread message
bestdnd
Nov 15, 2010, 2:48:23 PM11/15/10
to ASCIIMath
when you are using the js function eval, the argument, can be a js
code that can do all sort of unwanted stuff- infinite loop, pop-ups,
stealing cookies and passwords and send them to a remote attacker
(using AJAX), navigating away from the website etc.
reproduction:
1. enter http://www1.chapman.edu/~jipsen/mathml/asciimathcalculator.html
2. enter the folowing into the calculator: alert("testing...")
expected resault: some sort of undefined expression error.
actual resault: you get a message box
note my debugger said the code ran from the file
http://www1.chapman.edu/~jipsen/mathml/ASCIIMathML.js, line 3405, in
function calculate(inputId,outputId), statement eval(mathjs(str)).
also note that the design seams to evaluate the expression after every
keystroke, so pasting or win7 "tablet pc input panel" does not make it
calculate again
code that can do all sort of unwanted stuff- infinite loop, pop-ups,
stealing cookies and passwords and send them to a remote attacker
(using AJAX), navigating away from the website etc.
reproduction:
1. enter http://www1.chapman.edu/~jipsen/mathml/asciimathcalculator.html
2. enter the folowing into the calculator: alert("testing...")
expected resault: some sort of undefined expression error.
actual resault: you get a message box
note my debugger said the code ran from the file
http://www1.chapman.edu/~jipsen/mathml/ASCIIMathML.js, line 3405, in
function calculate(inputId,outputId), statement eval(mathjs(str)).
also note that the design seams to evaluate the expression after every
keystroke, so pasting or win7 "tablet pc input panel" does not make it
calculate again
Reply all
Reply to author
Forward
0 new messages