Open zhouf003 opened 1 year ago
REJack
commented
1 year ago Please explain me how we (AdminLTE) should fix this? There nothing that the Template could do to avoid this, thats a failure of the developers of the sites with the vulnerability it self.
codetheorist
commented
9 months ago Yep, these files simply shouldn't be included in the production build of the implementing project.
This bug is a by-product of exposing your entire node_modules folder publicly, which should be avoided unless you really know what your doing.
If any files are required from node_modules they should be imported using a bundler but if you need them in the browser, then NPM probably isn't the right tool. In those instances, you should use a CDN build or copy a static version of the file to a separate folder, which is publicly available using a URL.
https://gist.github.com/cybersaki/31ffe679a5552c1047164e3a5b01c2fd
Describe the bug This vulnerability can be searched by using the google dork 'inurl:"/admin/index2.html"' or 'inurl:"/admin/index3.html"' (without single quotes). AdminLTE dashboards have index2.html/index3.html in their products. Using this we can search for the AdminLTE templates which are being used in websites.
Expected behavior Is there any patch which will fix this bug?
Environment (please complete the following information): AdminLTE 3.1.0