A security issue regarding inboundAnalytics.min.js

[zifeng-kang]

Hi developers,

We are web-security researchers of JHU System Security Lab. We would like to report a severe security issue regarding the /core/shared/assets/js/frontend/analytics/inboundAnalytics.min.js.

Vulnerability category: client-side prototype pollution.

Potential consequences: attacks such as Cross-Site Scripting, Denial-of-Service, Remote Code Execution or Session Hijacking.

How to trigger: When we navigate to https://(the_website_name)/?__proto__[Key]=Value , the JavaScript code sets the string "Value" into Object.prototype.Key . This would cause a client-side prototype pollution vulnerability. The attacker can set "Key" and "Value" to arbitrary strings, persuade the victim to visit this crafted URL through social engineering and launch an attack such as Cross-Site Scripting, Denial-of-Service, Remote Code Execution and Session Hijacking.

Severity: High.

Vulnerable code location: The function name is setUrlParams. The vulnerable code is n[t(s)][t(r)]=t(e[2]), where s='proto', r='Key', e[2]='Value'.

How to patch: Add a function that can encode the strings "__proto__", "constructor", "prototype":

sanitizeKey = function(t) {
        return t && ["__proto__", "constructor", "prototype"].includes(t.toLowerCase()) ? t.toUpperCase() : t
    }

And apply that function before setting any property from the URL-search query strings. n[t(sanitizeKey(s))][t(r)]=t(e[2])

[atwellpub]

Hi there, this one is a retired plugin, we gutted the contents of setUrlParams and pushed a new version, just to be safe.

Thank you for the report.