Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression of #56 - strings.ToLower allows input of SCRIPT tag #111

Closed
buro9 opened this issue Mar 27, 2021 · 0 comments
Closed

Regression of #56 - strings.ToLower allows input of SCRIPT tag #111

buro9 opened this issue Mar 27, 2021 · 0 comments
Assignees
@buro9

Comments

@buro9
Copy link
Member

buro9 commented Mar 27, 2021
edited

Reported by @Ry0taK at 2021-03-27T01:00

I'm a security researcher who has been fuzzing famous XSS sanitizers.

While fuzzing the sanitizers, my fuzzer triggered an alert that shows bluemonday is vulnerable to bypass.
After some checks, I confirmed that this is a vulnerability, so I'm reporting it here.

While checking the issues on the bluemonday repository, I realized that this is the same issue as #56 (Which must be resolved already as it's closed.)
As there is no doubt this vulnerability occurred again in somewhere of previous commits, I decided to find it.
And it was a commit that added vulnerable code again: 876b478#diff-c62e8d687f2dd220893e9990667b682f3261099565c254e3d236178f07729920
(It's now moved to here:

bluemonday/sanitize.go

Line 232 in 22ed312

mostRecentlyStartedToken = strings.ToLower(token.Data)
)

To reproduce this, please use the following steps:

  1. Download the attached bluemonday.zip
  2. Extract it.
  3. Run test.go: "go run test.go"
  4. Sanitization bypass will be shown.

If you are going to fix this issue, please let me know. I can assign CVE to notify this issue to users.

Best regards,
RyotaK

bluemonkey.zip
@buro9 buro9 self-assigned this Mar 27, 2021
@buro9 buro9 closed this as completed in 524f142 Mar 27, 2021
buro9 added a commit that referenced this issue Mar 27, 2021
@buro9
Merge pull request #112 from microcosm-cc/buro9/issue111
f0b9183 
Resolves #111 carefully escape tag names
umputun added a commit to umputun/remark42 that referenced this issue Apr 3, 2021
@umputun
update bluemonday to v1.0.5 to fix microcosm-cc/bluemonday#111
d2da514
umputun added a commit to umputun/remark42 that referenced this issue Apr 3, 2021
@umputun
update bluemonday to v1.0.5 to fix microcosm-cc/bluemonday#111
961b8aa
@zeripath zeripath mentioned this issue Apr 10, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@buro9 buro9

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@buro9