Skip to main content

Search and Top Navigation

#14731 closed bug (worksforme)

Opened October 18, 2015 07:24AM UTC

Closed October 18, 2015 09:26AM UTC

XSS Vulnerability on _attachDatepicker function

Reported by: phatly27 Owned by:
Priority: minor Milestone: none
Component: ui.datepicker Version: 1.9.2
Keywords: Cc:
Blocked by: Blocking:
Description

VULNERABILITY DETAILS

A potential bug enables us to inject the XSS content into attribute (with format "date: [PROPERTY_IN_DEFAULTS_DATEPICKER]") in any HTML element using _attachDatepicker function of component ui datepicker. This function used the eval syntax to evaluate the javascript code dynamically.

VERSION

Any site using the older versions from version 1.9.2 back to lowest version.

REPRODUCTION CASE

1. Create a new HTML page.

2. Inject this content into new page.

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title></title>
    
    <script src="https://code.jquery.com/jquery-2.1.4.min.js"></script>
    <script src="https://code.jquery.com/ui/1.9.2/jquery-ui.min.js"></script>
    <script>
        $(document).ready(function () {
            $.datepicker.setDefaults({
                buttonText: 'abcde'
            });
            $.datepicker._attachDatepicker(document.getElementById("abc"));
            $('#datepicker').datepicker();
        });
    </script>
</head>
<body>
    <div id="abc" date:buttonText="alert('XSS')">
        <input name="datepicker" id="datepicker" type="text"/>
    </div>
</body>
</html>

3. A alert popup was shown.

4. Completed.

IN CONCLUSION

we expect that the alert popup shouldn't be displayed and eval syntax should be removed instead. If it displays, any attacker can take advantage of injecting the malicious XSS content into website.

Please see details at here http://jsfiddle.net/wanc8t9g/.

Attachments (0)
Change History (1)

Changed October 18, 2015 09:26AM UTC by scottgonzalez comment:1

resolution: → worksforme
status: newclosed

None of these versions are supported any more. Any site using such an old version isn't going to be any safer even if we released a new 1.9.x, which we won't. I'm closing as works for me since it has already been fixed for a long time.