Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Full Path Disclosure #542

Open
shayanb opened this issue Jan 12, 2018 · 5 comments
Open

[Security] Full Path Disclosure #542

shayanb opened this issue Jan 12, 2018 · 5 comments

Comments

@shayanb
Copy link

shayanb commented Jan 12, 2018

Sending unexpected* data to broadcast endpoint /insight-api/tx/send results in an error message which contains path of the node app.

Full Path Disclosure Vulnerability

Example Code:

function broadcastTX (transactionHex, done) {
  var broadcastUrl = url + 'tx/send';
  request.post({
    headers: {'content-type': 'application/json'},
    url: broadcastUrl,
    params: {'rawtx': transactionHex}
  }, function (error, response, body) {
    if (error) console.log(error);
    console.log('txid', body);
    done(body);
  });
}

examples:

  1. Trezor.io (https://bch-bitcore2.trezor.io)
    /mnt/data/ssd/satoshilabs/bitcore-bcc/bitcore/node_modules/bitcoind-rpc/lib/index.js
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>TypeError: Cannot read property &#39;toString&#39; of undefined<br> &nbsp; &nbsp;at Array.types.str (/mnt/data/ssd/satoshilabs/bitcore-bcc/bitcore/node_modules/bitcoind-rpc/lib/index.js:283:17)<br> &nbsp; &nbsp;at RpcClient.&lt;anonymous&gt; (/mnt/data/ssd/satoshilabs/bitcore-bcc/bitcore/node_modules/bitcoind-rpc/lib/index.js:259:35)<br> &nbsp; &nbsp;at Bitcoin.sendTransaction (/mnt/data/ssd/satoshilabs/bitcore-bcc/bitcore/node_modules/bitcore-node/lib/services/bitcoind.js:1806:15)<br> &nbsp; &nbsp;at Node.self.(anonymous function) [as sendTransaction] (/mnt/data/ssd/satoshilabs/bitcore-bcc/bitcore/node_modules/bitcore-node/lib/node.js:223:27)<br> &nbsp; &nbsp;at TxController.send (/mnt/data/ssd/satoshilabs/bitcore-bcc/bitcore/node_modules/insight-api/lib/transactions.js:303:13)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (/mnt/data/ssd/satoshilabs/bitcore-bcc/bitcore/node_modules/express/lib/router/layer.js:95:5)<br> &nbsp; &nbsp;at next (/mnt/data/ssd/satoshilabs/bitcore-bcc/bitcore/node_modules/express/lib/router/route.js:137:13)<br> &nbsp; &nbsp;at Route.dispatch (/mnt/data/ssd/satoshilabs/bitcore-bcc/bitcore/node_modules/express/lib/router/route.js:112:3)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (/mnt/data/ssd/satoshilabs/bitcore-bcc/bitcore/node_modules/express/lib/router/layer.js:95:5)<br> &nbsp; &nbsp;at /mnt/data/ssd/satoshilabs/bitcore-bcc/bitcore/node_modules/express/lib/router/index.js:281:22</pre>
</body>
</html>
  1. blockdozer.com
    /home/bitprim/mynode/node_modules/bitcore-node/node_modules/bitcoind-rpc/lib/index.js
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>TypeError: Cannot read property &#39;toString&#39; of undefined<br> &nbsp; &nbsp;at Array.types.str (/home/bitprim/mynode/node_modules/bitcore-node/node_modules/bitcoind-rpc/lib/index.js:260:17)<br> &nbsp; &nbsp;at RpcClient.&lt;anonymous&gt; (/home/bitprim/mynode/node_modules/bitcore-node/node_modules/bitcoind-rpc/lib/index.js:236:35)<br> &nbsp; &nbsp;at Bitcoin.sendTransaction (/home/bitprim/mynode/node_modules/bitcore-node/lib/services/bitcoind.js:1804:15)<br> &nbsp; &nbsp;at Node.self.(anonymous function) [as sendTransaction] (/home/bitprim/mynode/node_modules/bitcore-node/lib/node.js:223:27)<br> &nbsp; &nbsp;at TxController.send (/home/bitprim/mynode/node_modules/insight-api/lib/transactions.js:303:13)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (/home/bitprim/mynode/node_modules/bitcore-node/node_modules/express/lib/router/layer.js:95:5)<br> &nbsp; &nbsp;at next (/home/bitprim/mynode/node_modules/bitcore-node/node_modules/express/lib/router/route.js:137:13)<br> &nbsp; &nbsp;at Route.dispatch (/home/bitprim/mynode/node_modules/bitcore-node/node_modules/express/lib/router/route.js:112:3)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (/home/bitprim/mynode/node_modules/bitcore-node/node_modules/express/lib/router/layer.js:95:5)<br> &nbsp; &nbsp;at /home/bitprim/mynode/node_modules/bitcore-node/node_modules/express/lib/router/index.js:281:22</pre>
</body>
</html>

It seems that all other deployment of insight has this vulnerability.

@gabegattis
Copy link

gabegattis commented Jan 15, 2018

This is probably due to a non production environment, which causes express to send a stacktrace.

https://expressjs.com/en/guide/error-handling.html

@gabegattis
Copy link

We should have a way to set the NODE_ENV environment variable to "production".

@shayanb
Copy link
Author

shayanb commented Jan 18, 2018

It is applicable to almost all insight-api's available online atm.

@shayanb
Copy link
Author

shayanb commented Apr 4, 2018

@NicoleG25
Copy link

Do you plan to address this vulnerability ?

We should have a way to set the NODE_ENV environment variable to "production".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants