search

ToBiDi0410 / SpigotDash

An Webinterface for Spigot that makes Monitoring your Server easier!
10 stars 6 forks source link

Security issue #18

Open nimmis opened 2 years ago

nimmis commented 2 years ago

From the security scan

Eclipse Jetty: Transfer-Encoding Request Smuggling Vulnerability In Eclipse Jetty, transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Solution Upgrade to version 9.4.29.v20200521 or later of Eclipse Jetty.

Information This vulnerability was identified because (1) the detected version of Eclipse Jetty, 9.4.z-SNAPSHOT, is less than 9.4.11.v20180605 Paths: /

Reference Vendor - https://www.eclipse.org/jetty/ Solution - https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668

IP-Address: xxx.xxx.xxx.xx Port/Protocol: 9696/TCP Service: http CVSS: High (7.5) CVE: CVE-2017-7657

nimmis commented 2 years ago

Fix by applying pull #16 (https://github.com/ToBiDi0410/SpigotDash/pull/16)

ToBiDi0410 commented 2 years ago

Fix by applying pull #16 (#16)

Hi. Thanks for looking into this. Did you test these changes? As I wrote under the Pull Request, this might be a problem because Socket.IO Java is very strict about the Dependency Versions.

nimmis commented 2 years ago

Fix by applying pull #16 (#16)

Hi. Thanks for looking into this. Did you test these changes? As I wrote under the Pull Request, this might be a problem because Socket.IO Java is very strict about the Dependency Versions.

I've tested just quickly the 9.4.46.v20220331 version and I'm also going to try the 9.4.29.v20200521 which is the first that fixes the security hole. I don't think just updating jetty-server will fix it. Tried the pull, but got version missmatch so. I updated all jetty-server, jetty-servlet, jetty-util and websocket-server to the same newer version.

I have only tested if they started up without throwing any exeptions, do you know what kind of socket problem it could be so I can test them.

ToBiDi0410 commented 2 years ago

If the Webinterface works, then there should be no problems. So, yeah at best just test that.