phantomjs icon indicating copy to clipboard operation
phantomjs copied to clipboard
verified publisher icon ariya

Critical Vulnerabilities: Add Security Warning to Package

Open amiller-si opened this issue 3 years ago • 5 comments

Describe the problem The current version of PhantomJS is vulnerable to SSRF and local file read attacks. These are highly impactful vulnerabilities. From reading the readme, it is evident that this is no longer being developed, but there is no indication that there's known, severe vulnerabilities.

Versions Which PhantomJS version? Tip: 2.1.1 Which OS: Linux, Windows, macOS?: Linux

https://nvd.nist.gov/vuln/detail/CVE-2019-17221 https://nvd.nist.gov/vuln/detail/CVE-2020-7739

I have verified both of these in a test environment.

amiller-si avatar Jun 17 '22 19:06 amiller-si

@amiller-si Thanks for the info! Do you have any suggestions for alternative programs that might fill the same function as PhantomJS?

I'm currently working my way through The Hacker Playbook: A practical guide to penetration testing by Peter Kim, and he had recommended using an older version of this software. Obviously, I won't want to use this if it's got some known vulnerabilities, and isn't actively being maintained.

michael-hart-github avatar Jun 27 '22 15:06 michael-hart-github

Development is no longer suspended; @ariya has un-archived the project again in 2020. However, he needs much more help than he is getting. Part of the reason he temporarily archived the project in 2018 was that expectations were much higher than he felt he could meet. This is probably also why the README hasn't been updated yet. The best way to get issues fixed, is to submit patches (second best is to donate).

@michael-hart-github PhantomJS is a pretty unique project, so unfortunately there is no direct replacement. Your options are either to use WebDriver to automate a regular web browser such as Firefox, or to use JSDOM.

jgonggrijp avatar Jun 28 '22 11:06 jgonggrijp

@jgonggrijp Thank you kindly for the information. I hope the project goes well. If there is any need for documentation writing, feel free to ping me. :)

michael-hart-github avatar Jul 01 '22 00:07 michael-hart-github

@michael-hart-github Ironically, I'm not (yet) involved in PhantomJS development myself, just keeping a tab on the project. Based on a search for issues with the documentation label, it seems you could currently contribute in that area.

jgonggrijp avatar Jul 01 '22 09:07 jgonggrijp

Playwright can automate WebKit.

reviewher avatar Jul 07 '22 03:07 reviewher

@amiller-si do you know what phantomjs-seo (which is mentioned in the description of CVE-2020-7739) is?

gamer191 avatar Aug 23 '22 08:08 gamer191

@gamer191 It appears to be a rarely used middleware that uses PhantomJS. https://github.com/areverberi/phantomjs-seo However, PhantomJS itself has both SSRF and local file read vulns, so the source of this issue might be slightly mis-attributed as phantomjs-seo vs. PhantomJS.

amiller-si avatar Aug 23 '22 17:08 amiller-si

Due to our very limited maintenance capacity, we need to prioritize our development focus on other tasks. Therefore, this issue will be automatically closed (see #15395 for more details). In the future, if we see the need to attend to this issue again, then it will be reopened. Thank you for your contribution!

stale[bot] avatar Sep 21 '22 01:09 stale[bot]