jqueryui.com XSS

Nothing fancy, but jqueryui.com/themeroller is vulnerable to reflected XSS attacks. I verified this vulnerability on Google Chrome(23.0.1271.64) and Firefox(17.0). The vulnerable URI is http://jqueryui.com/themeroller/#”><script>alert(document.domain);</script>

I disclosed this bug to the jQuery UI bugtracker on November 26, 2012, which can be found here: http://bugs.jqueryui.com/ticket/8854

To understand what is going on, lets examine a benign payload like #TARGET. The page is building a <link> tag where the ‘src’ attribute is built, unescaped, from the fragment identifier (#).

Using #"><script>alert(document.domain)</script> as the payload, we see the <link> tag is closed out and the remainder of what would be inside the <link> tag is rendered to the page as plaintext.

5 thoughts on “jqueryui.com XSS

  1. Very nice post. I just stumbled upon your blog and wanted
    to say that I have really enjoyed surfing around your blog posts.
    In any case I will be subscribing to your feed and I hope you write again soon!

Leave a Reply