dmitrytinitilov
commented
6 years ago Hello Marcin. I would glad to fix security issue. So what can I do?
Open MarcinHoppe opened 6 years ago
dmitrytinitilov
commented
6 years ago Hello Marcin. I would glad to fix security issue. So what can I do?
MarcinHoppe
commented
6 years ago @dmitrytinitilov We have disclosed the issue to the public some time ago:
https://hackerone.com/reports/342066
If you happen to have a fix and release the updated package, we will be more than happy to update the report and a proper entry in our vulnerability database to recommend updating to the newest version of the package.
dmitrytinitilov
commented
6 years ago Hello Marcin
Thank you for your response. I think I fix path traversal in bruteser. Now user just gets files from 'public' directory, and express is responsible for correct work with that directory.
I am open for any other issues if they'd happen.
On Mon, Sep 17, 2018 at 4:40 PM Marcin Hoppe notifications@github.com wrote:
@dmitrytinitilov https://github.com/dmitrytinitilov We have disclosed the issue to the public some time ago:
https://hackerone.com/reports/342066
If you happen to have a fix and release the updated package, we will be more than happy to update the report and a proper entry in our vulnerability database to recommend updating to the newest version of the package.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dmitrytinitilov/bruteser/issues/1#issuecomment-422020480, or mute the thread https://github.com/notifications/unsubscribe-auth/APUXHZtcfVEM8bp-PE1l8mgCzOnJdfkRks5ub6ZLgaJpZM4Tp79n .
I'm a member of the Node.js Security WG (https://github.com/nodejs/security-wg) and we received a report regarding a security issue with this module.
@dmitrytinitilov I could not find your e-mail address to contact you directly so I'm opening this issue to invite you to collaborate with us on a fix.