CSS injection vulnerability in \unicode{} macro
#3241
Comments
spixi
changed the title
\unicode{} macro\unicode{} macro
spixi
changed the title
\unicode{} macro\unicode{} macro
|
#3129 😃 |
|
As mentioned by @maxgubler, this is a duplicate of #3129. See that issue for a work-around. It is resolved in v4 (now out in beta). |
|
Thanks, @spixi, for reporting this and documenting the situation so thoroughly. A project I contribute to received an issue comment from GitHub user https://github.com/simul on Friday, June 7, that was almost identical—if not completely identical—to the one shown in the screenshot in this issue description. When viewing the issue page, the viewport was immediately "taken over" by a full-screen image (it was a flashing image of a Discord URL). I used <p dir="auto">sup</p>
<math-renderer class="js-display-math" style="display: block" data-static-url="https://github.githubassets.com/static" data-run-id="5287bd6428aa015df40f3018f5f9dcc0">$$\ce{$\unicode[goombafont; color:red; pointer-events: none; z-index: 5; position: fixed; inset: 0; opacity: 100%; background-size: 100% 100%; background-image: url('https://github.com/Roblox/t/assets/106361566/b3306f20-57e8-449d-95f7-0ec0597b4e7e');]{x0000}$}$$</math-renderer>Do any of you know whether this issue has been reported to GitHub, Inc.? I am wondering whether they are aware of it as it may motivate them to upgrade to MathJax v4 (i.e. the version of MathJax that contains the fix). |
|
I believe that the GitHub folk are aware of it. I observed the exploit in comments on two issues on the microsoft/vscode repo. One of the Issues had beef created by a core team member, a Microsoft employee. I emailed to alert him. Shortly afterwards the comment on his issue got hidden as abuse. The one on the other issue remained in hidden but was now defanged and accompanied by a notification that the |
Yes, it was exactly the same code with the same flashing GIF image. I reported the user for "Active Malware or Exploits" and it seems they already have deleted the user simulified. The organization simul has nothing to do with this. |
|
Note that the original issue #3129 includes a v3 configuration that fixes the issue, so GitHub (and anyone else) could use that if they are not prepared to move to v4. |
Issue Summary
The
\unicode{}macro can be abused to load external resources using the CSS attributebackground-image(and possible also other CSS atributes) with theurl()function.Steps to Reproduce:
A certain GitHub user page shows an inappropiate image upon opening their profile. In the following screenshot I stopped it before rendering.
The user also used the exploit in comments to GitHub issues like wesnoth/wesnoth#8964
The exploit can be also found in that users profile here:
https://raw.githubusercontent.com/*username*/*username*/main/README.md
The URL in that script appears to be a
github.aaakk.us.kgURL, but actually redirects to agithub-production-user-asset-6210df.s3.amazonaws.comURL.The background image is automatically loaded from an external source, specified by the attacker. This may
endanger the user's privacy and in the worst case also could be abused to prepare other attacks, e. g. by stealing session tokens, clickjacking or phishing.
This also may be exploitable with other CSS attributes like
srcin a@font-facerule.This vulnerability may be related to CVE-2018-1999024
Any other information you want to share that is relevant to the issue
being reported. Especially, why do you consider this to be a bug? What
do you expect to happen instead?
Technical details:
I am using the following MathJax configuration:
(unknown)
and loading MathJax via
(unknown)
Supporting information:
see screenshot
The text was updated successfully, but these errors were encountered: