Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical security vulnerability #34

Open
omarryhan opened this issue Jul 4, 2020 · 6 comments
Open

Critical security vulnerability #34

omarryhan opened this issue Jul 4, 2020 · 6 comments

Comments

@omarryhan
Copy link

https://blog.auxiliumcybersec.com/?p=2586
@Cr0wTom
Copy link

Cr0wTom commented Jul 7, 2020

Hello @omarryhan ,

I'm the security researcher that found the vulnerability. I responsibly disclosed it to npm two months ago but no fix or advisory has been issued. After 45 days I made the vulnerability public, as it was agreed by the disclosure policy of npm.

I highly suggest for developers to not use this product as it is outdated and vulnerable with really low probability to get new updates in the future.

Unfortunately, I discovered it in one of my pentests in a production system.

If there are any questions regarding the vulnerability, please don't hesitate to contact me, you or anyone in the community. :)

@Cr0wTom
Copy link

Cr0wTom commented Jul 8, 2020

Advisory has been released: https://www.npmjs.com/advisories/1519

@Cr0wTom
Copy link

Cr0wTom commented Jul 17, 2020

CVE-ID has been assigned: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15779

@ghost
Copy link

ghost commented Jul 27, 2020

I took note of the vulnerability last week through NPM, but now it no longer shows it when installing the package yet there are no new versions. Also on the package page on NPM there is no notices anymore as well yet no new version listed to address the issue, weird. The only way I can see the vulnerability notice is by following your link above, so I'm guessing someone removed the notice.

I have however addressed this in my own project code by adding a check to verify the incoming name, checking for both .. and / and rejecting the upload if any matches are found for those in the file name, it is not a hard thing to work around for those who wish to continue to use this tool.

uploader.on('start', (fileInfo) => { dolog.log('Started upload..') let n = fileInfo.name let p = fileInfo.uploadDir let owner = fileInfo.data.owner if(p != '/root/projects/htdocs/twelixty/uploads/'+host+'/'+n){ uploader.abort() return } if(owner == "" || owner === null || owner === undefined){ dolog.log('Stopped upload due to invalid owner.') uploader.abort() return } })

I am wondering if the project creator either abandoned this project thinking it's completed or if they know that the end user can deal with the issue their selves and is to lazy to deal with it, it's such a simple fix!

@Cr0wTom
Copy link

Cr0wTom commented Sep 30, 2020

Second high severity vulnerability, with the ability to combine it with the first one in order to aquire remote code execution, to specific configurations.

https://cr0wsplace.wordpress.com/2020/09/26/socket-io-file-2-0-31-file-type-restriction-bypass/

@ghost ghost mentioned this issue Oct 14, 2020
Open
@MickL
Copy link

MickL commented Feb 12, 2024

The last update is 5 years old. @rico345100 could you add an note to the readme that this package is no more maintained and shouldnt be used due to security vulnerability?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MickL @Cr0wTom @omarryhan