Cross-site Scripting (XSS)

Affecting loofah gem, versions <2.2.1

Overview

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments.

Affected versions fo this package are vulnerable to Cross-site Scripting (XSS) attacks. It allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

The vulnerability is possible only when the following conditions are met:

  • when running on MRI or RBX,
  • in combination with libxml2 >= 2.9.2.

Note : JRuby users are not affected.

Details

Cross-Site Scripting (XSS) attacks occur when an attacker tricks a user’s browser to execute malicious JavaScript code in the context of a victim’s domain. Such scripts can steal the user’s session cookies for the domain, scrape or modify its content, and perform or modify actions on the user’s behalf, actions typically blocked by the browser’s Same Origin Policy.

These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like < > " ' are not escaped properly.

There are a few types of XSS:

  • Persistent XSS is an attack in which the malicious code persists into the web app’s database.
  • Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
  • DOM-based XSS is an that occurs purely in the browser when client-side JavaScript echoes back a portion of the URL onto the page. DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.

Remediation

Upgrade Loofah to version 2.2.1 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

6.1
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Changed
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Credit
Shopify Application Security Team
CVE
CVE-2018-8048
CWE
CWE-79
Snyk ID
SNYK-RUBY-LOOFAH-22023
Disclosed
15 Mar, 2018
Published
21 Mar, 2018