Level 75
What about the Vue bug, where you click on another user profile and suddenly it showed a post from you? That's also an exploit. But that was a Vue bug was it not?
May 2, 2018
44
Level 67
It was a bug with how Vue was being used, not Vue itself.
Level 20
@jlrdw This isn't really a bug specific to Laravel or Vue but more of an easily made oversight when combining VueJS (or similar JS frameworks) with server-side rendering and user input in a specific manner.
Level 75
It was a bug with how Vue was being used, not Vue itself.
Just funny, if an exploit can happen, the Vue team should do a quick fix to prevent the type of usage.
Or was it a hole Jeffrey put in the forum by mistake somehow?
If it happen here, then it can happen on other sites using Vue.
Maybe someone can explain more how it happened that's unique to Vue, as I don't use Vue.
Level 67
Or was it a hole Jeffrey put in the forum by mistake somehow?
Exactly that.
This is the issue: https://github.com/dotboris/vuejs-serverside-template-xss
The thread on Laracasts detailing the issue has been removed, presumably so someone else won't exploit it while it was being fixed. The original thread was here, which now just 404's: https://laracasts.com/discuss/channels/site-improvements/xss-on-laracasts
Level 20
@jlrdw Basically like this: https://github.com/dotboris/vuejs-serverside-template-xss
It was also mentioned by Taylor Otwell in this article
Level 35
My topic of yesterday is indeed removed. But the xss is still possible, see my profile cover page. I promise you, no automatic replies are done this time.
Level 75
@Nash that's for the reference, very informative. I guess all frameworks and the js frameworks should have a big bold warning and have a list of these kinds of exploits.
If it was missed here, imagine other sites it happens on.
Level 122
@jlrdw prior to the patch made by taylor, anyone creating a new project, implementing make:auth and leaving at that would be subject to the XSS exploit.
Yes its down to Vue but they may not even be aware that Vue is loaded.
Unfortunately since the code is only fixed when you redo the layout file, updating Laravel does not stop the exploit
So I imagine there could be 100's of thousands of affected sites
Level 67
Yes its down to Vue but they may not even be aware that Vue is loaded.
That's exactly why I strongly disagree with any (frontend) packages included as a convenience by default. It's nice that they included php artisan preset none to be able to remove them, but imho that should be the default setting.
I don't think any of these should be included in package.json by default:
"devDependencies": {
"axios": "^0.18",
"bootstrap": "^4.0.0",
"popper.js": "^1.12",
"cross-env": "^5.1",
"jquery": "^3.2",
"laravel-mix": "^2.0",
"lodash": "^4.17.4",
"vue": "^2.5.7"
}
Maybe with the exception of cross-env, since mix uses it in the commands, but none of the others really should be there.
Level 75
At most I use javascript and ajax for something like this
// an ajax return of some data
$('#dep').val(dep);
// others form fields filled or updated with current data
Just filling the field with some returned data. But that isn't really server side rendering. So I guess a normal ajax jquery return of data, then filling fields (updating fields) with such data is still safe. Is that correct?
Or something like
$("#myTable td:nth-child(1)").click(function (event)
{
event.preventDefault();
var $td = $(this).closest('tr').children('td');
var currentCellText = $td.eq(0).text();
$.ajax({
url: '/crudv2/admin/getowner',
type: 'GET',
data: 'id=' + currentCellText,
dataType: 'json',
success: function (data) {
window.opener.$('#firstName').val(data.fn);
window.opener.$('#lastName').val(data.ln);
self.close();
}
});
});
Still safe? Just example of some old test code, sorry.
Point is, is a fairly routine jquery ajax return safe still?
Level 67
The xss problem was specifically with Vue.
Level 67
@m-rk it looks like that bug in the profile has been plugged.
1 like
Level 35
@Cronix I see it now, nice!
Please or to participate in this conversation.