socket.io-file icon indicating copy to clipboard operation
socket.io-file copied to clipboard

Published 20 hours ago verified publisher icon rico345100

Critical security vulnerability

Open omarryhan opened this issue 4 years ago • 6 comments

https://blog.auxiliumcybersec.com/?p=2586

omarryhan avatar Jul 04 '20 05:07 omarryhan

Hello @omarryhan ,

I'm the security researcher that found the vulnerability. I responsibly disclosed it to npm two months ago but no fix or advisory has been issued. After 45 days I made the vulnerability public, as it was agreed by the disclosure policy of npm.

I highly suggest for developers to not use this product as it is outdated and vulnerable with really low probability to get new updates in the future.

Unfortunately, I discovered it in one of my pentests in a production system.

If there are any questions regarding the vulnerability, please don't hesitate to contact me, you or anyone in the community. :)

Cr0wTom avatar Jul 07 '20 07:07 Cr0wTom

Advisory has been released: https://www.npmjs.com/advisories/1519

Cr0wTom avatar Jul 08 '20 07:07 Cr0wTom

CVE-ID has been assigned: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15779

Cr0wTom avatar Jul 17 '20 10:07 Cr0wTom

I took note of the vulnerability last week through NPM, but now it no longer shows it when installing the package yet there are no new versions. Also on the package page on NPM there is no notices anymore as well yet no new version listed to address the issue, weird. The only way I can see the vulnerability notice is by following your link above, so I'm guessing someone removed the notice.

I have however addressed this in my own project code by adding a check to verify the incoming name, checking for both .. and / and rejecting the upload if any matches are found for those in the file name, it is not a hard thing to work around for those who wish to continue to use this tool.

uploader.on('start', (fileInfo) => { dolog.log('Started upload..') let n = fileInfo.name let p = fileInfo.uploadDir let owner = fileInfo.data.owner if(p != '/root/projects/htdocs/twelixty/uploads/'+host+'/'+n){ uploader.abort() return } if(owner == "" || owner === null || owner === undefined){ dolog.log('Stopped upload due to invalid owner.') uploader.abort() return } })

I am wondering if the project creator either abandoned this project thinking it's completed or if they know that the end user can deal with the issue their selves and is to lazy to deal with it, it's such a simple fix!

ghost avatar Jul 27 '20 10:07 ghost

Second high severity vulnerability, with the ability to combine it with the first one in order to aquire remote code execution, to specific configurations.

https://cr0wsplace.wordpress.com/2020/09/26/socket-io-file-2-0-31-file-type-restriction-bypass/

Cr0wTom avatar Sep 30 '20 22:09 Cr0wTom

The last update is 5 years old. @rico345100 could you add an note to the readme that this package is no more maintained and shouldnt be used due to security vulnerability?

MickL avatar Feb 12 '24 14:02 MickL