[CVE-2014-0013] Potential XSS Exploit With User-Supplied Data When Binding Primitive Values

1,127 views

Skip to first unread message

Tom Dale

unread,

Jan 14, 2014, 11:40:38 AM1/14/14

to ember-s...@googlegroups.com

Potential XSS Exploit With User-Supplied Data When Binding Primitive Values

This vulnerability has been assigned the CVE identifier CVE-2014-0013.

In general, Ember.js escapes or strips any user-supplied content before

inserting it in strings that will be sent to innerHTML. However, we have

identified a vulnerability that could lead to unescaped content being inserted

into the innerHTML string without being sanitized.

When a primitive value is used as the Handlebars context, that value is not

properly escaped. An example of this would be using the `{{each}}` helper to

iterate over an array of user-supplied strings and using `{{this}}` inside the

block to display each string.

In applications that contain templates whose context is a primitive value and

use the `{{this}}` keyword to display that value, a specially-crafted payload

could execute arbitrary JavaScript in the context of the current domain

("XSS").

Versions Affected: ALL versions

Not affected: NONE

Fixed Versions: 1.0.1, 1.1.3, 1.2.1, 1.3.1, 1.4.0-beta.2

Impact

-------

This vulnerability affects applications that contain templates whose context is

set to a user-supplied primitive value (such as a string or number) and also

contain the `{{this}}` special Handlebars variable to display the value.

Releases

--------

Releases are available on emberjs.com/builds/#/tagged

Workarounds

-----------

Ensure that you escape any user-supplied value that you use as the context for a

Handlebars template (e.g. inside an `{{each}}` block).

Patches

-------

To aid users who aren't able to upgrade immediately we have provided

patches for 1.0.0, 1.1.2, 1.2.0, 1.3.0, and 1.4.0-beta.1. They are in

git-am format and consist of a single changeset.

patch_for_1.0.0.diff

patch_for_1.1.2.diff

patch_for_1.2.0.diff

patch_for_1.3.0.diff

patch_for_1.4.0-beta.1.diff

Credits

-------

This vulnerability was discovered by Robert Jackson of DockYard. Many

thanks for working with us on the patches and advisory.

patch_for_1.0.0.diff

patch_for_1.1.2.diff

patch_for_1.2.0.diff

patch_for_1.3.0.diff

patch_for_1.4.0-beta.1.diff

Reply all

Reply to author

Forward

0 new messages