jan-vandenberg / cruddiy

No-code Bootstrap PHP CRUD generator
http://cruddiy.com
GNU Affero General Public License v3.0
253 stars 80 forks source link

Security vulnerability disclosure #67

Open kazet opened 1 year ago

kazet commented 1 year ago

Hello,

CERT PL found a security vulnerability in this repository. How can we report this privately? We don't see any security policy describing how such vulnerabilities should be reported.

jan-vandenberg commented 1 year ago

Please send to my personal email janvdberg at gmail

kazet commented 1 year ago

Thank you! You should have received a report.

lukigruszka commented 10 months ago

Hello,

CERT PL has sent you a report on 23rd of November and resent it on 18th of December. Have you received any of them?

jan-vandenberg commented 10 months ago

Yes, but the mentioned finding applies to core/relations.php. This is code that is NOT meant to be deployed.

Cruddiy GENERATES code that IS meant to be deployed, and any findings there are of greater importance (not the generator code).

That being said, we will of course try and look into it, but that explains a little bit why there wasn't a direct response.

lukigruszka commented 10 months ago

We are aware that this code is not meant to be deployed. However, in a limited scope that vulnerability still poses a risk - when a user runs cruddiy locally and then enters a malicious website which performs such a crafted POST request to localhost, some arbitrary shell command will be executed on his/her machine.

lukigruszka commented 7 months ago

Hi, any updates on that? We would like to proceed with assigning a CVE for that vulnerability