New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

config.admins.hasOwnProperty 漏洞没改完 #122

Closed
gemaogemaojiushiwo opened this Issue Dec 21, 2013 · 1 comment

Comments

Projects
None yet
2 participants
@gemaogemaojiushiwo

gemaogemaojiushiwo commented Dec 21, 2013

现在没在用自己的电脑所以不登大号。。。
内啥,config.admins.hasOwnProperty 这个漏洞没改完。

至少这一处还是个隐患:

https://github.com/alsotang/cnpmjs.org/blob/ee69ff92613d4bf3a836e42232ecf455dcf48215/middleware/auth.js#L25

建议 grep 一下统一修修。


之前在发现这个漏洞的时候,只是简单地利用了一下:绕过权限上传了一个不存在的包而已。但是由于 constructor 这个账号不是 express 包的 maintainer,所以没法覆盖 express 包。我刚才在思考拿到 req.session.isadmin 之后如何绕过 maintainer 的检测,所以回来看了看代码发现了以上那处没有改的地方。

@gemaogemaojiushiwo

This comment has been minimized.

gemaogemaojiushiwo commented Dec 21, 2013

上述地方的 25 - 27 行去掉就好了。那是个重复赋值。

@ghost ghost assigned fengmk2 Dec 22, 2013

@fengmk2 fengmk2 closed this in b401ae2 Dec 22, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment