The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Zurb Foundation 5.5.3 / 5.5.1 Cross Site ScriptingXSS vulnerabilty in the tooltip plugin of Zurb Foundation 5.x
=============================================================
URL to this advisory: https://nop.li/foundation5tooltipxss
Vendor
======
http://zurb.com/
Product
=======
(Taken from http://foundation.zurb.com/sites/docs/v/5.5.3/)
Foundation is the most advanced, responsive front-end framework in the
world. The framework is mobile
friendly and ready for you to customize it any way you want to use it.
Vulnerability Type
==================
Cross-Site-Scripting Vulnerability
CVE Reference
=============
N/A
Vulnerability Details
=====================
The Foundation framework provides an easy way to insert tooltips into your code. The corresponding plugin
for this is *foundation.tooltip.js*. Unfortunately the plugin takes HTML-encoded code from the title
parameter and returns it as actual HTML, allowing an attacker to inject
dynamic HTML/JS into an application, if the application allows to inject user input into title
fields of a tooltip'ed SPAN entity. Even if the user input is correctly encoded, before adding it to
the tooltip'ed SPAN, the Foundation Tooltip JavaScript will re-decode it and inject the actul
HTML code.
Example code
============
This code snippet shows a simple HTML page with encoded HTML in a tooltip, utilizing the Foundation JS plugin.
<!DOCTYPE html>
<html class="no-js" lang="en">
<head>
<meta charset="utf-8">
<meta content="width=device-width, initial-scale=1.0" name="viewport">
<title>Foundation 5 Tooltip XSS example</title>
<script src="/foundation/js/vendor/modernizr.js"></script>
<link href="/css/vpnauth.css" rel="stylesheet">
<link href="/css/font-awesome.min.css" rel="stylesheet">
</head>
<body>
<span data-tooltip data-options="hover_delay: 50;" class="has-tip"
title="<script>alert("Oh crap!
XSS'ed");</script>">This is a tooltip'ed SPAN</span>
<!-- Begin Foundation JavaScript includes //-->
<script src="/foundation/js/vendor/jquery.js"></script>
<script src="/foundation/js/foundation/foundation.js"></script>
<script
src="/foundation/js/foundation/foundation.tooltip.js"></script>
<script>//<![CDATA[
$(document).foundation();
//]]></script><!-- End Foundation JavaScript includes //-->
</body>
</html>
When opened in a browser, the encoded HTML from the title-parameter in line 12 will be grabbed by the
tooltip plugin and re-decoded to plain HTML in the output, causing the JavaScript to be injected into
the page. A JavaScript alert window will pop up.
Quick fix/Workaround
====================
The problem lies in line 197 of *foundation.tooltip.js*:
var $tip = $(tip_template(this.selector($target),
$('<div></div>').html($target.attr('title')).html())),
classes = this.inheritable_classes($target);
The title attribute is read and provided as HTML without any sanitization. As a quick fix, one could
use the .text() function of jQuery to sanitize the read value from the title attribute. This might
not be a full fix for the issue, but at least worked in my examples.
Here is a diff for quick patching:
--- ./foundation.tooltip.js.orig 2016-11-28 16:57:31.000000000
+0100
+++ ./foundation.tooltip.js 2016-11-29 10:45:16.000000000 +0100
@@ -196,3 +196,3 @@
- var $tip = $(tip_template(this.selector($target),
$('<div></div>').html($target.attr('title')).html())),
+ var $tip = $(tip_template(this.selector($target),
$('<div></div>').html($target.attr('title').text()).html())),
classes = this.inheritable_classes($target);
Affected versions
=================
Succesfully tested in Zurb Foundation 5.5.1 and 5.5.3
Timeline
========
- 2016-03-01: Opened issue with Zurb
- 2016-03-03: Reply from a Foundation DEV and assignment to a different developer to take care
- 2016-04-20: Nothing happend, thus I asked for an update on the issue. No reply.
- 2016-06-08: Still nothing happend. Asked for an update again. No reply.
- 2016-11-28: Still no reply, so I closed the ticket and announced the disclosure
- 2016-11-29: Release of this advisory
Disclaimer
==========
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees
of fitness of use or otherwise. Permission is hereby granted for the
redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission
is explicitly given for insertion in vulnerability databases and
similar, provided that due credit
is given to the author. The author is not responsible for any misuse of
the information contained
herein and accepts no responsibility for any damage caused by the use or
misuse of this information.
The author prohibits any malicious use of security related information
or exploits by the author
or elsewhere.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum