AdminLTE icon indicating copy to clipboard operation
AdminLTE copied to clipboard
verified publisher icon ColorlibHQ

[BUG]CVE-2021-36471

Open zhouf003 opened this issue 2 years ago • 3 comments

https://gist.github.com/cybersaki/31ffe679a5552c1047164e3a5b01c2fd

Describe the bug This vulnerability can be searched by using the google dork 'inurl:"/admin/index2.html"' or 'inurl:"/admin/index3.html"' (without single quotes). AdminLTE dashboards have index2.html/index3.html in their products. Using this we can search for the AdminLTE templates which are being used in websites.

Expected behavior Is there any patch which will fix this bug?

Environment (please complete the following information): AdminLTE 3.1.0

zhouf003 avatar Mar 01 '23 08:03 zhouf003

Please explain me how we (AdminLTE) should fix this? There nothing that the Template could do to avoid this, thats a failure of the developers of the sites with the vulnerability it self.

REJack avatar Jun 10 '23 16:06 REJack

Yep, these files simply shouldn't be included in the production build of the implementing project.

This bug is a by-product of exposing your entire node_modules folder publicly, which should be avoided unless you really know what your doing.

If any files are required from node_modules they should be imported using a bundler but if you need them in the browser, then NPM probably isn't the right tool. In those instances, you should use a CDN build or copy a static version of the file to a separate folder, which is publicly available using a URL.

codetheorist avatar Sep 23 '23 16:09 codetheorist