search

rico345100 / socket.io-file

Socket.io-file is a node module for uploading file via Socket.io module
MIT License
46 stars 19 forks source link

Critical security vulnerability #34

Open omarryhan opened 4 years ago

omarryhan commented 4 years ago

https://blog.auxiliumcybersec.com/?p=2586

Cr0wTom commented 4 years ago

Hello @omarryhan ,

I'm the security researcher that found the vulnerability. I responsibly disclosed it to npm two months ago but no fix or advisory has been issued. After 45 days I made the vulnerability public, as it was agreed by the disclosure policy of npm.

I highly suggest for developers to not use this product as it is outdated and vulnerable with really low probability to get new updates in the future.

Unfortunately, I discovered it in one of my pentests in a production system.

If there are any questions regarding the vulnerability, please don't hesitate to contact me, you or anyone in the community. :)

Cr0wTom commented 4 years ago

Advisory has been released: https://www.npmjs.com/advisories/1519

Cr0wTom commented 3 years ago

CVE-ID has been assigned: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15779

ghost commented 3 years ago

I took note of the vulnerability last week through NPM, but now it no longer shows it when installing the package yet there are no new versions. Also on the package page on NPM there is no notices anymore as well yet no new version listed to address the issue, weird. The only way I can see the vulnerability notice is by following your link above, so I'm guessing someone removed the notice.

I have however addressed this in my own project code by adding a check to verify the incoming name, checking for both .. and / and rejecting the upload if any matches are found for those in the file name, it is not a hard thing to work around for those who wish to continue to use this tool.

uploader.on('start', (fileInfo) => { dolog.log('Started upload..') let n = fileInfo.name let p = fileInfo.uploadDir let owner = fileInfo.data.owner if(p != '/root/projects/htdocs/twelixty/uploads/'+host+'/'+n){ uploader.abort() return } if(owner == "" || owner === null || owner === undefined){ dolog.log('Stopped upload due to invalid owner.') uploader.abort() return } })

I am wondering if the project creator either abandoned this project thinking it's completed or if they know that the end user can deal with the issue their selves and is to lazy to deal with it, it's such a simple fix!

Cr0wTom commented 3 years ago

Second high severity vulnerability, with the ability to combine it with the first one in order to aquire remote code execution, to specific configurations.

https://cr0wsplace.wordpress.com/2020/09/26/socket-io-file-2-0-31-file-type-restriction-bypass/

MickL commented 4 months ago

The last update is 5 years old. @rico345100 could you add an note to the readme that this package is no more maintained and shouldnt be used due to security vulnerability?