Responsible disclosure policy

[JamieSlome]

Hey there!

I belong to an open source security research community, and a member (@websecnl) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

[websecnl]

CVE-2021-44981

Hey there!

I belong to an open source security research community, and a member (@websecnl) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Assigned CVE so far: CVE-2021-44981

(More CVE's are to be assigned as there where a total of 5 findings reported)

[JMSDOnline]

Patched in both CE and Pro

[omridon]

hi where is the patch?

[JamieSlome]

@JMSDOnline - are we able to mark the report as valid and fixed appropriately, if the issue on the report is fixed?

https://huntr.dev/bounties/c4b4b746-a3b9-4f20-910c-4f63e88ce689/

Thanks! ❤️

[websecnl]

https://huntr.dev/bounties/c4b4b746-a3b9-4f20-910c-4f63e88ce689/

Thanks Jamie, but special thanks goes to the developers of Quickbox who have taken this report very seriously and implemented a remediation to the old config.php file very quickly.

CVEs List (2/6) , will update this once more CVE numbers get approved by MITRE:

• CVE-2021-44981
• CVE-2021-45281

Security Researchers: Joel Aviad Ossi, Jelle Ermerins, Alexander Bode

For every other security researcher reading this:

QuickBox now has a responsible disclosure mail: sec@quickbox.io Send your reports to there 👍

[JMSDOnline]

@omridon See the updated readme here. The update may additionally be done within QuickBox CE by clicking the "Run Updater" button.

@JamieSlome, as per what was brought to my attention, reproduced, tested and confirmed no longer an active RCE, we can report this as fixed. I had forgotten to push up the commit to finalize this as it was reported to me over the Holiday period and in the midst of heavy developments with the upcoming QuickBox Pro v3. So I did miss pushing up some commits. These should all be present and accounted for.

@websecnl, big credits to you guys for all that you do. It's a pleasure having you make my day a big ball of stress!!! 😂 ❤️

[JamieSlome]

@JMSDOnline - amazing, are you able to confirm what is the patch commit SHA that addresses this issue, so we can confirm it against the report?

https://huntr.dev/bounties/c4b4b746-a3b9-4f20-910c-4f63e88ce689/

Great work to all involved ❤️

[websecnl]

@JMSDOnline - amazing, are you able to confirm what is the patch commit SHA that addresses this issue, so we can confirm it against the report?

https://huntr.dev/bounties/c4b4b746-a3b9-4f20-910c-4f63e88ce689/

Great work to all involved ❤️

@JamieSlome https://github.com/QuickBox/QB/commit/61c42a30b4d50a4caa89b56384ac88f0bf337922

[JamieSlome]

@websecnl - thanks for this!

Confirmed against the report 🎉