Made to Order Software Corporation Logo

jsMath Security Issue

Security Issue

A security issue was found in all versions of jsMath before 2.x-dev for Drupal 6.x of Jul 29, 2010.

You may still securely use older versions of jsMath on private websites and websites were you are the only user (as in, the only one who can log in.)

The Drupal Security Advisory issue is here: https://www.drupal.org/node/854402

Other Problem

There is another problem: jsMath offers a JavaScript function that parses entire web pages (although there are ways to circumvent that problem, the module does not currently make use of those.) The jsMath Drupal module uses the jsMath Easy JavaScript. That scripts has this call:

   jsMath.tex2math.Convert(document, jsMath.Easy.findCustomSettings);

As you can see, it passes the document as the element to work on. In other words, the entire page (not even just the body part...) In other words, unless you are the only person who can enter data on your site, any user can enter jsMath TeX code anywhere.

Note that as long as the jsMath library has no security issue, then this is not a real security issue. Yet, you have to keep in mind that the jsMath library does not have the same security checks as Drupal does. I would think that it is secure, but I do not know how much work is done on that side of things. (If you know more than I, please post a comment below about it!)

Solutions

Until the conversion gets fixed (i.e. uses a specific element that represents just and only the node content,) I suggest the following solutions.

Easy

The best solution: create a website YOU are 100% in control of (i.e. no one else can post anything, including comments, on that website.)

Harder

The harder solution: create a website that offers the jsMath functionality only for you and a few trusted people and make sure that wherever those pages appear, they are never shown with any data that other people can enter on your website. This includes blocks (especially those with Latest Posts, Latest Comments, etc.), comments, aggregated RSS feeds, etc.

Remember that nodes marked as Promoted to front page appear in lists of nodes. For instance, even if you change the home page on your website, the /node page remains accessible and shows all those pages... If another user can post a forum question and include bad code in that page, jsMath will pick it up on /node.

Views are similarly capable of mixing multiple nodes together and thus mixing potentially dangerous content (in regard to jsMath) together.