Submeter #771350: Lagom Lagom WHMCS Template * Prototype Pollutioninformação

TítuloLagom Lagom WHMCS Template * Prototype Pollution
Descrição### 1. Executive Summary During a security assessment of the Lagom WHMCS Template, a prototype pollution vulnerability was identified. The issue resides in an outdated version of the DataTables library (`datatables.net`) bundled with the template. Versions prior to 1.10.23 expose the internal function `_fnSetObjectDataFn`, which can be abused to modify the `Object.prototype` of JavaScript objects. This allows an attacker to inject properties or methods that affect all objects in the application, potentially leading to cross-site scripting (XSS), validation bypass, denial of service, and other unexpected behaviors. The vulnerability was discovered and responsibly disclosed by security researcher S4nnty. --- ### 2. Affected Component - **Template:** Lagom WHMCS Template - **Vulnerable Dependency:** `datatables.net` versions < 1.10.23 - **Insecure Function:** `jQuery.fn.dataTable.ext.internal._fnSetObjectDataFn` --- ### 3. Technical Description Prototype pollution occurs when an attacker controls the properties of JavaScript’s `Object.prototype`. Because every object inherits from this prototype, a successful pollution can alter the behavior of the entire application. The function `_fnSetObjectDataFn` is designed to set a value deep within an object using a dot-notation string (e.g., `"a.b.c"`). It splits the string and traverses the object tree. However, versions prior to 1.10.23 do not properly sanitize the input path, allowing the use of special keys like `__proto__` to access and modify the prototype. For example, an attacker can execute: ```javascript jQuery.fn.dataTable.ext.internal._fnSetObjectDataFn('__proto__.polluted')({}, true); ``` After this call, any new object created will inherit the property `polluted` with the value `true`. --- ### 4. Proof of Concept The following proof-of-concept script demonstrates multiple exploitation vectors: - **Basic Pollution:** Injects a property (`polluted`) into `Object.prototype`. - **XSS via `toString`:** Replaces `Object.prototype.toString` with a malicious function that triggers an alert. - **Validation Bypass:** Overrides `RegExp.prototype.exec` and `RegExp.prototype.test` to subvert regex-based checks. - **Denial of Service:** Replaces regex methods with non‑function values, causing runtime errors. The full PoC code is provided separately. When executed in a vulnerable environment, it logs each test and confirms successful exploitation. --- ### 5. Impact An attacker who can execute arbitrary JavaScript in the context of a page using the vulnerable template can achieve: - **Cross-site Scripting (XSS):** By polluting `toString`, any implicit or explicit string conversion of an object can execute attacker‑controlled code. - **Security Control Bypass:** If the application uses regular expressions for input validation (e.g., sanitization, access control), polluting `RegExp.prototype` can neutralize those checks. - **Denial of Service:** Replacing critical methods with non‑functions can break application logic and cause persistent errors. - **Data Corruption:** Properties injected into the prototype may interfere with object operations, leading to data integrity issues. The exact impact depends on how the application uses JavaScript objects and regex. In many WHMCS installations, such pollution could be leveraged to elevate privileges or compromise administrative functions. --- ### 6. Remediation #### 6.1 Immediate Fix Update the `datatables.net` library to version **1.10.23 or later**. This version includes a fix that prevents the use of `__proto__` and other dangerous keys in path strings. If you are using a CDN or a package manager, ensure the updated version is loaded: ```html <!-- Example using CDN --> <script src="https://cdn.datatables.net/1.10.23/js/jquery.dataTables.min.js"></script> ``` #### 6.2 Temporary Workaround If an immediate update is not feasible, you can mitigate the risk by patching the vulnerable function. Add the following code **after** DataTables is loaded but before any untrusted code runs: ```javascript (function() { var original = jQuery.fn.dataTable.ext.internal._fnSetObjectDataFn; jQuery.fn.dataTable.ext.internal._fnSetObjectDataFn = function(source) { if (source.includes('__proto__') || source.includes('constructor') || source.includes('prototype')) { throw new Error('Prototype pollution attempt blocked'); } return original.apply(this, arguments); }; })(); ``` *Note: This is a partial mitigation and may break legitimate uses of the library that rely on such keys. Full update is strongly recommended.* --- ### 7. Additional Recommendations - **Audit Dependencies:** Regularly review all JavaScript libraries included in your template for known vulnerabilities. Tools like `npm audit` or Snyk can help. - **Subresource Integrity (SRI):** When loading libraries from CDNs, use SRI hashes to ensure the files have not been tampered with. - **Content Security Policy (CSP):** Implement a strict CSP to limit the impact of XSS even if prototype pollution occurs. - **Security Testing:** Incorporate automated security scans into your development pipeline to catch similar issues early. --- ### 8. Conclusion The Lagom WHMCS Template is currently vulnerable to prototype pollution due to an outdated DataTables dependency. Users of the template should upgrade immediately to avoid potential exploitation.
Fonte⚠️ https://github.com/devsamuelsantiago/lagom-prototype-pollution-poc/
Utilizador
 s4nnty (UID 95917)
Submissão04/03/2026 13h43 (há 30 dias)
Moderação15/03/2026 21h38 (11 days later)
EstadoAceite
Entrada VulDB351181 [Lagom WHMCS Template até 2.3.7 Datatables]
Pontos20

VoltarVisão GeralPróximo

Do you need the next level of professionalism?

Upgrade your account now!