[DOMPurify Security] New Release Version 0.4.5 (Minor Security Issue)
Security Announcements for DOMPurify and related tools
dompurify-security at lists.ruhr-uni-bochum.de
Fri Jan 16 13:31:42 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*Intro*
A new version of DOMPurify was released today: DOMPurify 0.4.5
*Background*
A minor security issue was reported by @filedescriptor:
The DOM clobbering check did not work properly in all situations. An
attacker was able to clobber empty yet existing DOM properties.
*Example*
The HTML string `<img src=x name=cookie>` allowed to clobber
`document.cookie` and set it to a value like `[object HTMLImageElement]`.
There is however no evidence, that arbitrary strings could have been
clobbered into `document.cookie`, giving the attack fairly small yet
existing and actionable impact.
*Fix*
The fix commit is available here:
https://github.com/cure53/DOMPurify/commit/1fb9038b8f6b192a81696a5ff3e7236f2909eebf
The clobbering checks were improved, now using the "in" operator
instead of checking the presence of a value.
The fix was suggested and reviewed by the reporter.
*Packages*
Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/0.4.5
EOF
- --
Fon +49 1520 8675782
PGP 0xD33441A8
S/MIME kuix.de/smime-keyserver/
cure53.de || mario.heideri.ch || 0x6D6172696F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJUuQSsAAoJEHDUy0rTNEGowrkH/jdXEMDqsVkwfDj1rJTZ4v4F
c6LlF+JTelbYxsIF1r/z9t7DNvpYu1cEzMUEHyR9TkWSL34Ad8q0G8JC2Py7rtDQ
H7pLFRWPsZlk0hq+dbcEs0PlpfAbpqlfR/kReP4Cl+OWXfI34bk4Q1YOVU+7d0AB
oW8TD/To3rWbAVGgoCu5vhPLAhGfN6urpov2WuHoV4GiZDSR0W/WLGou3Sy/MBEU
/ZrFW4/VIuM+63Ay1FIXh6rVawnyLPpqLG8g4GtuBJmAbS3VAo5bEeJSAUuiWTSs
9dE4N2oU2wURCxkSX2UsQpWjzr7d3uXLFPzAB1DPwsjUq9h5+E4qPE/H0Zx4xTk=
=kvcS
-----END PGP SIGNATURE-----
More information about the DOMPurify-Security
mailing list