Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: JavaScript URL injection allowed in query string parameter and redirection to uBlock origin urls #1797

Closed
8 tasks done
hackvertor opened this issue Nov 4, 2021 · 3 comments
Closed
8 tasks done

Security: JavaScript URL injection allowed in query string parameter and redirection to uBlock origin urls #1797

hackvertor opened this issue Nov 4, 2021 · 3 comments
Labels
bug Something isn't working fixed issue has been addressed

Comments

@hackvertor
Copy link

Prerequisites

I tried to reproduce the issue when...

  • uBO is the only extension
  • uBO with default lists/settings
  • using a new, unmodified browser profile

Description

uBlock origin allows you to redirect to it's Chrome URL from certain sites such as Github. It's also possible to inject a JavaScript URL but CSP inside the extension prevents exploitation. This also works for redirecting to other uBlock locations within the extension.

https://subscribe.adblockplus.org/?location=javascript:alert(1)&title=EasyList

You can redirect to any other URL within the extension too:
https://subscribe.adblockplus.org/?location=dashboard.html%23about.html&title=EasyList

A specific URL where the issue occurs

https:

Steps to Reproduce

  1. Visit the following URL https://subscribe.adblockplus.org/?location=javascript:alert(1)&title=EasyList
  2. Click the javascript URL link.
  3. You should get a CSP violation.

Expected behavior

JavaScript URLs should not be allowed.

Actual behavior

JavaScript URL is allowed and a CSP violation occurs.

uBlock Origin version

1.38.6

Browser name and version

Chrome 95.0.4638.69

Operating System and version

MacOS 10.15.7
gorhill added a commit to gorhill/uBlock that referenced this issue Nov 4, 2021
@gorhill
Forbid subscribing to filter lists with invalid URLs
8b8b7da 
Related issue:
- uBlockOrigin/uBlock-issues#1797
gorhill added a commit to gorhill/uBlock that referenced this issue Nov 4, 2021
@gorhill
Fix breaking navigation through links [regression]
b63415a 
Regression from:
- uBlockOrigin/uBlock-issues#1797
@uBlock-user uBlock-user added the bug Something isn't working label Nov 4, 2021
@uBlock-user uBlock-user added the fixed issue has been addressed label Nov 5, 2021
@gwarser gwarser reopened this Nov 10, 2021
@gwarser
Copy link

gwarser commented Nov 10, 2021

gorhill/uBlock@8b8b7da#r59932865

gorhill added a commit to gorhill/uBlock that referenced this issue Nov 10, 2021
@gorhill
Fix bad test breaking list subscription
c2c2cef 
Related issue/feedback:
- uBlockOrigin/uBlock-issues#1797 (comment)
@gwarser gwarser closed this as completed Nov 10, 2021
@gorhill
Copy link
Member

gorhill commented Dec 6, 2021

Related: https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working fixed issue has been addressed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gorhill @gwarser @hackvertor @uBlock-user and others