New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prototype Pollution with Remote Code Execution #1495
Comments
This commit fixes a Remote Code Execution (RCE) reported by npm-security. Access to non-enumerable "constructor"-properties is now prohibited by the compiled template-code, because this the first step on the way to creating and execution arbitrary JavaScript code. The vulnerability affects systems where an attacker is allowed to inject templates into the Handlebars setup. Further details of the attack may be disclosed by npm-security. Closes #1267 Closes #1495
This commit fixes a Remote Code Execution (RCE) reported by npm-security. Access to non-enumerable "constructor"-properties is now prohibited by the compiled template-code, because this the first step on the way to creating and execution arbitrary JavaScript code. The vulnerability affects systems where an attacker is allowed to inject templates into the Handlebars setup. Further details of the attack may be disclosed by npm-security. Closes #1267 Closes #1495
This commit fixes a Remote Code Execution (RCE) reported by npm-security. Access to non-enumerable "constructor"-properties is now prohibited by the compiled template-code, because this the first step on the way to creating and execution arbitrary JavaScript code. The vulnerability affects systems where an attacker is allowed to inject templates into the Handlebars setup. Further details of the attack may be disclosed by npm-security. Closes #1267 Closes #1495
Version Another more complete fix will follow. |
* Change amplitude project keys. * Initialize amplitude only once in `amplitude.js`. * Upgrade Handlebars to fix security issue: handlebars-lang/handlebars.js#1495
@nknapp I'm considering updating our information to include these vulnerable ranges: Vulnerable: Vulnerable: Vulnerable: Does that |
Hi @laserlemon Thanks for taking a look into this |
@dougwilson Thank you! We've updated our GitHub security advisory to contain the three vulnerable version ranges described above. Inaccurate alerts were automatically removed and new alerts are in the process of being created. If anybody still has an inaccurate alert or is missing an alert in 48 hours, please reach out! |
Thank you @dougwilson for the clarifications. It represents more or less my level of knowledge. Perhaps, I can give a little more details to the affected legacy versions: The published exploits don't work on a plain Handlebars 3.x installation, because the For Prior to 3.0, there is no support for block-parameters at all, so the published exploits don't work. Finally, I have not looked very hard for ways to exploit the prototype-pollution without block-parameters, but I cannot exclude the possibility that an exploit exists. So the ranges you provide seem to be reasonable. /cc @laserlemon |
@nknapp @laserlemon Quick clarification: This issue which was fixed in Handlebars is just to stop the prototype pollution. The RCE was not in the Handlebars side, am I right? If the RCE was on the handlebar side, how could it be exploited? |
At the beginning of the year, we were notified by npm-security about a vulnerablity that allowed template creators to execute arbitrary JavaScript code.
By accessing the object's constructor, it is possible to fabricate arbitrary and execute Functions.
In an environment, where Handlebars is executed in a NodeJS environment, this means that anybody who can modify Handlebars templates, can also access the file system, spawn sub-processes and open network connections from the NodeJS-server.
The vulnerabilty has been fixed in version
4.0.13
and4.1.0
by forbidding access to the constructor.So far, we have not been able to reproduce the vulnerability with 3.x versions.
https://www.npmjs.com/advisories/755
The text was updated successfully, but these errors were encountered: