Shescape 1.5.8 now escapes all arguments by default. Shescape does not escape the `'n'` character because that is a valid unescaped character and is not meant to be escaped. If the `'n'` character is required, a fallback to `'\n'` escaping should be considered. If you encounter non-issues with Shescape use, this bug is not relevant. An attacker can force any argument to be sent as the last argument by including a single `'n'` character in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. An attacker can force any argument to be sent as the last argument by including a single `'n'` character in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. Alternatively, a user can fix this by always enclosing the `'n'` characters in double quotes.

How do I know if I'm affected?

If you are using Shescape 1.5.8, any argument containing a single `'n'` character is forced to be the last argument.

How to exploit this vulnerability?

This issue is most likely to be exploited by malicious users via a Cross Site Scripting (XSS) attack. The following is an example of how this vulnerability could be exploited:

1. User 1 visits attacker's site and triggers the XSS attack
2. The attacker executes code on user 1's machine
3. The attacker sends code that uses the `'n'` character in the payload, which causes Shescape to transfer it as the last argument in the call
4. The payload causes Shescape to send a large number of arguments

Resolution

This bug was fixed in [v1.5.8] which you can upgrade to now. No further changes are required.

CVE-2023-31062

The security constraints in [v1.5.8] are stricter now and as such, the `'n'` character is not allowed to escape an argument in the body.

Timeline

Published on: 08/01/2022 20:15:00 UTC
Last modified on: 08/09/2022 13:30:00 UTC

References