Users encouraged to upgrade to latest version of Bleach

Mozilla has patched a cross-site scripting (XSS) security bug in Bleach

Mozilla has patched a cross-site scripting (XSS) bug in Bleach, a Python library that enables developers to clean data and prevent XSS attacks, according to an advisory posted on GitHub.

Mozilla Bleach is one of several libraries that enables Python web developers to clean input data and escape or remove parts that may lead to the execution of arbitrary code. It is especially popular among users of Django, Python’s web development platform.

The discovered vulnerability was in Bleach’s clean() function, which takes a fragment of HTML code as input and sanitizes disallowed tags and attributes.

It is hard to weigh the impact of the bug, but GitHub lists more than 61,000 repositories depending on Bleach.

Among library’s users are EdX, Fedora, Microsoft, the Python Software Foundation, and 18F, a digital service agency in the US.

There’s no evidence of the vulnerability being exploited in the wild, and Mozilla quickly issued a patch after the bug was reported, Justin O’Kelly, a spokesperson for Mozilla, told The Daily Swig.

Also, only a special configuration of arguments could expose calls to the clean() function to XSS attacks.

“The vulnerability lies in a non-standard use of the library, so while not necessarily hard, it should be fairly unusual,” O’Kelly said.

Mutation XSS

The bug is a special kind of XSS vulnerability called ‘mutation XSS’, which is caused by the differences in how browsers interpret HTML code.

But, O’Kelly warns, “The vulnerability is not browser-specific or leverages any browser weaknesses, so without mitigating controls, most browsers will execute the XSS.”

O’Kelly also recommended that websites deploy a Content Security Policy for defense in depth.

The vulnerability was discovered in Bleach v3.1.1, but earlier versions might have been affected too, according to Mozilla. All users are encouraged to upgrade to 3.1.2 or later.

In fact, while you’re at it, you might as well upgrade to v3.1.4, released on March 24. The new version has fixed another vulnerability that exposed applications to regular expression denial-of-service (ReDoS) attacks.

ReDoS attacks take advantage of the slow processing of regular expressions to cause web servers to crawl to a halt.


READ MORE Blind regex injection: Theoretical exploit offers new means of forcing web apps to spill secrets