False positive "jQuery < 1.9.0 XSS Vulnerability"?

false_positive

#1

Hi all,
I have done a VA on a webserver and it returns these vulnerabilities:

jQuery < 1.6.3 XSS Vulnerability
jQuery < 1.9.0 XSS Vulnerability

On the webserver is installed JQuery 2.2.1
Viewing the NASL (/var/lib/openvas/plugins/2018/jquery/gb_jquery_xss_vuln2.nasl), I noticed that the variable “version” return a value “.2.2.1” (it starts with a dot) instead of “2.2.1”.
Could it be the problem?

Thank you all
Giovanni


#2

Thanks for your report. The Detection-VT for jQuery has received various updates one day ago which are not published in the feed yet. Please try to do a re-scan once the following VT has reached the feed in r13969:

Name: jQuery Detection
OID: 1.3.6.1.4.1.25623.1.0.141622

In this VT you will also find various information how the jQuery lib was detected and where the version was extracted from. If there is a version “.2.2.1” registered in this output it would be great if you could share the output of this VT.


#3

Ok,
thank you.
I’ll give you a feedback once done.

Giovanni


#4

Great, thanks.

In your GSA web interface you can go to SecInfo -> NVTs, put the mentioned OID from above into the search field and check the “Version” column to see which Revision of this VT is currently available on your installation / in the feed.

The output of the mentioned Detection-VT should look like e.g. below. I guess the jquery lib on your deployment is using something like jquery.3.3.1.min.js and not the common naming format like jquery-3.3.1.min.js. The current used regex to extract the version might be not sufficient for this format.

Detected jQuery

Version:  3.3.1
Location: /js
CPE:      cpe:/a:jquery:jquery:3.3.1

Concluded from version/product identification result:
src="js/jquery-3.3.1.min.js

#5

Hi cfi,

The output of the mentioned Detection-VT should look like e.g. below. I guess the jquery lib on your deployment is using something like jquery.3.3.1.min.js and not the common naming format like jquery-3.3.1.min.js . The current used regex to extract the version might be not sufficient for this format.

Exactly, I have the /js/jquery.X.X.X.min.js (with the dot)
About the revision, actually it’s at $Revision: 12178 $, I think I have to wait a bit :smiley:
The feeds are s days old

Thank you
Giovanni


#6

This is a quite uncommon deployment / naming scheme for the jquery lib (have only found a couple of “live” systems using this format in contrast to hundreds of thousands of the jquery-x.x.x.min.js one) and is definitely the reason for the reported issue. The VT had initially used the following regex:

jquery([0-9.-]+)?

where the dot was included when extracting the version. Nevertheless from the uncommon naming scheme the regex should catch such variants as well. The VT has been updated accordingly and the updated version r14001 should arrive the feed soon.

Thanks again for your report.


#7

Ok thank you a lot
Giovanni