Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-23520: Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)

Medium
I
Internet Bug Bounty
Submitted None

Team Summary

Official summary from Internet Bug Bounty

###Summary There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of [CVE-2022-32209](https://github.com/advisories/GHSA-pg8v-g4xq-hww9). - Versions affected: ALL - Not affected: NONE - Fixed versions: 1.4.4 ###Impact A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements. Code is only impacted if allowed tags are being overridden using either of the following two mechanisms: 1. Using the Rails configuration ```config.action_view.sanitized_allow_tags=```: ``` #In config/application.rb config.action_view.sanitized_allowed_tags = ["select", "style"] ``` (see https://guides.rubyonrails.org/configuring.html#configuring-action-view) 2. Using the class method Rails::Html::SafeListSanitizer.allowed_tags=: ``` #class-level option Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"] ``` All users overriding the allowed tags by either of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately. NOTE: Code is not impacted if allowed tags are overridden using either of the following mechanisms: - the ``:tags`` option to the Action View helper method ``sanitize``. - the ``:tags`` option to the instance method ``SafeListSanitizer#sanitize``. ###Workarounds Remove either "select" or "style" from the overridden allowed tags. ###References [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209) https://hackerone.com/reports/1654310

Actions:
View on HackerOne
Reported by 0b5cur17y

Vulnerability Details

Technical details and impact analysis

Cross-site Scripting (XSS) - Generic
The following is from: https://hackerone.com/reports/1654310 While building a PoC for CVE-2022-32209, I noticed that I could not fix my vulnerable application by updating https://github.com/rails/rails-html-sanitizer from 1.4.2 to 1.4.3 even though the Hackerone report about this vulnerability suggested that this should fix it (see here: https://hackerone.com/reports/1530898). I built this app with Rails 7.0.3.1 by just running "rails new", adding `config.action_view.sanitized_allowed_tags = ["select", "style"]` to the file `config/application.rb` and creating an endpoint that reflected a parameter after sanitizing it (ERB: `<p>Hello <%= sanitize @name %></p>`). When using the payload `<select><style><script>alert("XSS")</script></style></select>` for the parameter I got an alert no matter what the version of rails-html-sanitizer was. I believe the reason is the following. There are two ways you can pass the list of allowed tags to the sanitizer. One is via a list of tags stored in a class attribute, the other is via an argument passed into the `sanitize` method. The fix only considered the second way but the first one was forgotten. See the commit with the fix here: https://github.com/rails/rails-html-sanitizer/commit/c871aa4034d3d80ad67cf33a3462154b0a0fb477#diff-0daf33b9062eb5ccdeae86ed8bf2662a6e8669f1a7db590802b7f3b36ea47426R159 The relevant part of the code is this: ```ruby module Rails module Html class SafeListSanitizer < Sanitizer ... def remove_safelist_tag_combinations(tags) if !loofah_using_html5? && tags.include?("select") && tags.include?("style") warn("WARNING: #{self.class}: removing 'style' from safelist, should not be combined with 'select'") tags.delete("style") end tags end def allowed_tags(options) if options[:tags] remove_safelist_tag_combinations(options[:tags]) else self.class.allowed_tags end end ... end end end ``` Method `remove_safelist_tag_combinations` is introduced to remove `style` from the allow list if `select` is in there. However, within method `allowed_tags` this cleanup is only applied to the tag list in the `options`, not to ` self.class.allowed_tags`, the list stored in the sanitizer class. However, it seems that the configuration in `config/application.rb` which I've set above put the list into the class variable (I've sprinkled a few `puts` here and there to confirm that). Moreover, when moving the allow list from `config/application.rb` into the ERB template (`<p>Hello <%= sanitize @name, tags: ["select", "style"] %></p>`), the update from 1.4.2 to 1.4.3 does fix the problem. ## Impact It is possible to bypass Rails::Html::SafeListSanitizer filtering and perform an XSS attack.

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2022-32209 UNKNOWN

# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer …

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$2400.00

Submitted

Weakness

Cross-site Scripting (XSS) - Generic