DataTables : Security Issue with DataTables : Using eval() in _fnCreateCookie
DataTables : Security Issue with DataTables : Using eval() in _fnCreateCookie
Many modern programming languages allow dynamic interpretation of source instructions. This capability allows programmers to perform dynamic instructions based on input received from the user. Code injection vulnerabilities occur when the programmer incorrectly assumes that instructions supplied directly from the user will perform only innocent operations, such as performing simple calculations on active user objects or otherwise modifying the user's state. However, without proper validation, a user might specify operations the programmer does not intend.
Example: In this classic code injection example, the application implements a basic calculator that allows the user to specify commands for execution.
[code]
userOp = form.operation.value;
calcResult = eval(userOp);
[/code]
The program behaves correctly when the operation parameter is a benign value, such as "8 + 7 * 2", in which case the calcResult variable is assigned a value of 22. However, if an attacker specifies languages operations that are both valid and malicious, those operations would be executed with the full privilege of the parent process. Such attacks are even more dangerous when the underlying language provides access to system resources or allows execution of system commands. In the case of JavaScript, the attacker can utilize this vulnerability to perform a cross-site scripting attack.
[code]
Occurrence in jquery.dataTables.js:
4524 /* It's a DataTables cookie, so eval it and check the time stamp */
4525 var aSplitCookie = aCookies[i].split('=');
4526 try {
4527 oData = eval( '('+decodeURIComponent(aSplitCookie[1])+')' );
4528
4529 if ( oData && oData.iCreate )
4530 {
4531 aOldCookies.push( {
4532 "name": aSplitCookie[0],
4533 "time": oData.iCreate
4534 } );
4535 }
[/code]
We need to get this issue fixed considering the level of security concern
Example: In this classic code injection example, the application implements a basic calculator that allows the user to specify commands for execution.
[code]
userOp = form.operation.value;
calcResult = eval(userOp);
[/code]
The program behaves correctly when the operation parameter is a benign value, such as "8 + 7 * 2", in which case the calcResult variable is assigned a value of 22. However, if an attacker specifies languages operations that are both valid and malicious, those operations would be executed with the full privilege of the parent process. Such attacks are even more dangerous when the underlying language provides access to system resources or allows execution of system commands. In the case of JavaScript, the attacker can utilize this vulnerability to perform a cross-site scripting attack.
[code]
Occurrence in jquery.dataTables.js:
4524 /* It's a DataTables cookie, so eval it and check the time stamp */
4525 var aSplitCookie = aCookies[i].split('=');
4526 try {
4527 oData = eval( '('+decodeURIComponent(aSplitCookie[1])+')' );
4528
4529 if ( oData && oData.iCreate )
4530 {
4531 aOldCookies.push( {
4532 "name": aSplitCookie[0],
4533 "time": oData.iCreate
4534 } );
4535 }
[/code]
We need to get this issue fixed considering the level of security concern
This discussion has been closed.
Replies
Allan