stackexchange uses an unpached version of jQuery < 3.4.0 which exposes it to prototype pollution in stackexchange/dnscontrol

Valid

Reported on

Jul 12th 2022


Description

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones.

This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf)

Impact

  • Integrity: An attacker can inject attributes that are used in other components.
  • Availability: An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.

Occurrences

Proof of Concept

Open your browser console and paste the following code:

$.extend(true, {}, JSON.parse('{ "__proto__": { "polluted": true } }'))
console.log({}.polluted)
// returns true

Mitigation

Patch can be found in the following link:

https://github.com/DanielRuf/snyk-js-jquery-174006

Proof of Fix

After fixing your code, the same command should return undefined:

$.extend(true, {}, JSON.parse('{ "__proto__": { "polluted": true } }'))
console.log({}.polluted)
// returns undefined
We are processing your report and will contact the stackexchange/dnscontrol team within 24 hours. 22 days ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 21 days ago
Timothee Desurmont modified the report
16 days ago
Jamie Slome
16 days ago

Admin


Hi Timothee, it looks like you tried to edit the report on 12th July @ 1 PM UTC. This process failed, and so I have re-run this for you just now :)

We have contacted a member of the stackexchange/dnscontrol team and are waiting to hear back 15 days ago
We have sent a follow up to the stackexchange/dnscontrol team. We will try again in 7 days. 12 days ago
We have sent a second follow up to the stackexchange/dnscontrol team. We will try again in 10 days. 5 days ago
stackexchange/dnscontrol maintainer modified the Severity from Critical to Low 5 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
stackexchange/dnscontrol maintainer validated this vulnerability 5 days ago
Timothee Desurmont has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
stackexchange/dnscontrol maintainer confirmed that a fix has been merged on 9f5c35 5 days ago
The fix bounty has been dropped
default.html#L10 has been validated
to join this conversation