config.admins.hasOwnProperty 漏洞没改完 #122

Closed
gemaogemaojiushiwo opened this Issue Dec 21, 2013 · 1 comment

Projects

None yet

2 participants

@gemaogemaojiushiwo

现在没在用自己的电脑所以不登大号。。。
内啥,config.admins.hasOwnProperty 这个漏洞没改完。

至少这一处还是个隐患:

https://github.com/alsotang/cnpmjs.org/blob/ee69ff92613d4bf3a836e42232ecf455dcf48215/middleware/auth.js#L25

建议 grep 一下统一修修。


之前在发现这个漏洞的时候,只是简单地利用了一下:绕过权限上传了一个不存在的包而已。但是由于 constructor 这个账号不是 express 包的 maintainer,所以没法覆盖 express 包。我刚才在思考拿到 req.session.isadmin 之后如何绕过 maintainer 的检测,所以回来看了看代码发现了以上那处没有改的地方。

@gemaogemaojiushiwo

上述地方的 25 - 27 行去掉就好了。那是个重复赋值。

@fengmk2 fengmk2 was assigned Dec 22, 2013
@fengmk2 fengmk2 added a commit that closed this issue Dec 22, 2013
@fengmk2 fengmk2 fix #122 admin security bug b401ae2
@fengmk2 fengmk2 closed this in b401ae2 Dec 22, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment