Discussion:
Base.js unescape reassignment and intrusion protection systems
Michael
2009-07-17 01:34:17 UTC
Permalink
I have found a problem with MochiKit Base.js and the intrusion
protection system at work. The IPS truncates Base.js because it
assigns the unescape() function to a variable (in parseQueryString(),
line 1225 in version 1.4.2 of Base.js). The IPS response is documented
here:

http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape_Obfuscation.htm

Has anybody else seen this behaviour? Could the code be re-written to
not use that reassignment?


(I discovered this because MarkMail does not work, and it uses a
compressed version of MochiKit 1.4.)


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "MochiKit" group.
To post to this group, send email to ***@googlegroups.com
To unsubscribe from this group, send email to mochikit+***@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mochikit?hl=en
-~----------~----~----~----~------~----~------~--~---
Per Cederberg
2009-07-17 03:18:35 UTC
Permalink
The reassignment is for backwards compability if I understand it correctly:

if (typeof(decodeURIComponent) != "undefined") {
decode = decodeURIComponent;
} else {
decode = unescape;
}
The escape and unescape functions do not work properly for non-ASCII
characters and have been deprecated. In JavaScript 1.5 and later, use
encodeURI, decodeURI, encodeURIComponent, and decodeURIComponent.

https://developer.mozilla.org/En/Core_JavaScript_1.5_Guide/Predefined_Functions/Escape_and_unescape_Functions

I don't see any good alternative solutions here. Perhaps the IDS
should be forced to allow a few exceptions?

Cheers,

/Per
Post by Michael
I have found a problem with MochiKit Base.js and the intrusion
protection system at work. The IPS truncates Base.js because it
assigns the unescape() function to a variable (in parseQueryString(),
line 1225 in version 1.4.2 of Base.js). The IPS response is documented
http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape_Obfuscation.htm
Has anybody else seen this behaviour? Could the code be re-written to
not use that reassignment?
(I discovered this because MarkMail does not work, and it uses a
compressed version of MochiKit 1.4.)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "MochiKit" group.
To post to this group, send email to ***@googlegroups.com
To unsubscribe from this group, send email to mochikit+***@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mochikit?hl=en
-~----------~----~----~----~------~----~------~--~---
Bob Ippolito
2009-07-17 03:19:26 UTC
Permalink
There are various ways it could be rewritten, but without knowing
exactly how stupid the IPS is it's hard to say which permutation would
pass its test. Someone who can reproduce this issue should spend some
time with it and produce a patch.
Post by Michael
I have found a problem with MochiKit Base.js and the intrusion
protection system at work. The IPS truncates Base.js because it
assigns the unescape() function to a variable (in parseQueryString(),
line 1225 in version 1.4.2 of Base.js). The IPS response is documented
http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape_Obfuscation.htm
Has anybody else seen this behaviour? Could the code be re-written to
not use that reassignment?
(I discovered this because MarkMail does not work, and it uses a
compressed version of MochiKit 1.4.)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "MochiKit" group.
To post to this group, send email to ***@googlegroups.com
To unsubscribe from this group, send email to mochikit+***@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mochikit?hl=en
-~----------~----~----~----~------~----~------~--~---
Per Cederberg
2009-07-17 06:07:12 UTC
Permalink
Now that I'm awake, it strikes me that this might be the obvious solution:

function decode(text) {
if (typeof(decodeURIComponent) != "undefined") {
return decodeURIComponent(text);
} else {
return unescape(text);
}
}

Try to patch it in a repackage the source code and let us know how it
works. It's slightly less efficient code, but we might optimize some
of that away if it works.

Cheers,

/Per
Post by Bob Ippolito
There are various ways it could be rewritten, but without knowing
exactly how stupid the IPS is it's hard to say which permutation would
pass its test. Someone who can reproduce this issue should spend some
time with it and produce a patch.
Post by Michael
I have found a problem with MochiKit Base.js and the intrusion
protection system at work. The IPS truncates Base.js because it
assigns the unescape() function to a variable (in parseQueryString(),
line 1225 in version 1.4.2 of Base.js). The IPS response is documented
http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape_Obfuscation.htm
Has anybody else seen this behaviour? Could the code be re-written to
not use that reassignment?
(I discovered this because MarkMail does not work, and it uses a
compressed version of MochiKit 1.4.)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "MochiKit" group.
To post to this group, send email to ***@googlegroups.com
To unsubscribe from this group, send email to mochikit+***@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mochikit?hl=en
-~----------~----~----~----~------~----~------~--~---
Michael
2009-07-20 01:59:27 UTC
Permalink
Thanks Per for your analysis. I think your suggestion will work. Who
will try it? I am not a MochiKit user directly. I'm a MarkMail user
who investigated why he can't view articles at work.

At work I am getting an exception made to allow JavaScript from
markmail.org. But that doesn't help anyone else wanting to use a site
using MochiKit inside a similarly-protected environment.

The IDS information I have is that a Proventia device scans JavaScript
files. It truncates any that contain a reassignment of the unescape()
function to a variable because that is considered a vulnerability. I
have tested at work with a minimal JavaScript file and found that
Per's suggested modification is not blocked.

—Michael
   function decode(text) {
       if (typeof(decodeURIComponent) != "undefined") {
           return decodeURIComponent(text);
       } else {
           return unescape(text);
       }
   }
Try to patch it in a repackage the source code and let us know how it
works. It's slightly less efficient code, but we might optimize some
of that away if it works.
Cheers,
/Per
Post by Bob Ippolito
There are various ways it could be rewritten, but without knowing
exactly how stupid the IPS is it's hard to say which permutation would
pass its test. Someone who can reproduce this issue should spend some
time with it and produce a patch.
Post by Michael
I have found a problem with MochiKit Base.js and the intrusion
protection system at work. The IPS truncates Base.js because it
assigns the unescape() function to a variable (in parseQueryString(),
line 1225 in version 1.4.2 of Base.js). The IPS response is documented
http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape...
Has anybody else seen this behaviour? Could the code be re-written to
not use that reassignment?
(I discovered this because MarkMail does not work, and it uses a
compressed version of MochiKit 1.4.)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "MochiKit" group.
To post to this group, send email to ***@googlegroups.com
To unsubscribe from this group, send email to mochikit+***@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mochikit?hl=en
-~----------~----~----~----~------~----~------~--~---

Loading...