[CVE-2015-7565] XSS Vulnerability in Ember.js with User-Supplied JSON
3,527 views
Skip to first unread message
Tom Dale
Jan 14, 2016, 5:00:04 PM1/14/16
to ember-s...@googlegroups.com
There is a vulnerability where values bound to the DOM are not properly
escaped if the value provided is an object that contains a `string`
property. This vulnerability has been assigned CVE-2015-7565.
Versions Affected: 1.8.x, 1.9.x, 1.10.x, 1.11.x, 1.12.x, 1.13.x, 2.0.x,
2.1.x, 2.2.x
Not Affected: Versions prior to 1.8.0
Fixed Versions: 1.11.4, 1.12.2, 1.13.12, 2.0.3,
2.1.2, 2.2.1
Impact
------
By default, Ember will escape any values in Handlebars templates that
use double curlies (`{{value}}`). Developers can specifically opt out of
this escaping behavior by passing an instance of `SafeString` rather
than a raw string, which tells Ember that it should not escape the
string because the developer has taken responsibility for escapement.
It is possible for an attacker to create a specially-crafted payload
that causes a non-sanitized string to be treated as a `SafeString`, and
thus bypass Ember's normal escaping behavior. This could allow an
attacker to execute arbitrary JavaScript in the context of the current
domain ("XSS").
All users running an affected release should either upgrade or use of
the workarounds immediately.
Releases
--------
Releases are available at http://emberjs.com/builds/#/tagged and via
Bower.
Workarounds
-----------
For user-supplied content that is used in Handlebars templates, ensure
that the values are primitives like numbers, strings and Booleans. In
order to be vulnerable to this attack, the user must be able to supply a
JavaScript object that:
escaped if the value provided is an object that contains a `string`
property. This vulnerability has been assigned CVE-2015-7565.
Versions Affected: 1.8.x, 1.9.x, 1.10.x, 1.11.x, 1.12.x, 1.13.x, 2.0.x,
2.1.x, 2.2.x
Not Affected: Versions prior to 1.8.0
Fixed Versions: 1.11.4, 1.12.2, 1.13.12, 2.0.3,
2.1.2, 2.2.1
Impact
------
By default, Ember will escape any values in Handlebars templates that
use double curlies (`{{value}}`). Developers can specifically opt out of
this escaping behavior by passing an instance of `SafeString` rather
than a raw string, which tells Ember that it should not escape the
string because the developer has taken responsibility for escapement.
It is possible for an attacker to create a specially-crafted payload
that causes a non-sanitized string to be treated as a `SafeString`, and
thus bypass Ember's normal escaping behavior. This could allow an
attacker to execute arbitrary JavaScript in the context of the current
domain ("XSS").
All users running an affected release should either upgrade or use of
the workarounds immediately.
Releases
--------
Releases are available at http://emberjs.com/builds/#/tagged and via
Bower.
Workarounds
-----------
For user-supplied content that is used in Handlebars templates, ensure
that the values are primitives like numbers, strings and Booleans. In
order to be vulnerable to this attack, the user must be able to supply a
JavaScript object that:
1) contains a `string` property, and
2) is used in a Handlebars template.
Ensure that you are not using `JSON.parse()` to parse arbitrary data
from users that is then used in a Handlebars template.
Credits
-------
This vulnerability was reported to us by Roman Shafigullin at LinkedIn.
Many thanks for working with us on the patches and advisory.
Ensure that you are not using `JSON.parse()` to parse arbitrary data
from users that is then used in a Handlebars template.
Credits
-------
This vulnerability was reported to us by Roman Shafigullin at LinkedIn.
Many thanks for working with us on the patches and advisory.
Thanks to Robert Jackson at Twitch for authoring the patch and doing the release engineering.
Reply all
Reply to author
Forward
0 new messages