How to get in touch regarding a security concern

[psmoros]

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@nightfury99) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

[AntoineLelaisant]

Thanks for the feedback! I just configure the security policy https://github.com/KnpLabs/snappy/blob/master/SECURITY.md. Looking forward to hear from you!

[nightfury99]

Hi I'm Shauqi from netbytesecurity. I would like to report a security issues in knplabs/snappy v1.4.1 It is also reported via huntr.dev platform, link https://huntr.dev/bounties/b2c2743b-9d2c-4549-bfdd-782d13e86967/ Vulnerability Name: Phar Deserialization of Untrusted Data Vulnerability Description: snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_exists() function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the generateFromHtml() function, it will invoke deserialization. Impact: This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. For details explaination please refer to huntr.dev at the given link above. I would love to hear from you soon. Thank you. Regards, Shauqi

…

On Thu, 16 Mar 2023 at 11:45 PM, Antoine Lelaisant ***@***.***> wrote: Thanks for the feedback! I just configure the security policy https://github.com/KnpLabs/snappy/blob/master/SECURITY.md. Looking forward to hear from you! — Reply to this email directly, view it on GitHub <#465 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHV5HZTG3M4ZJEQ27VPZAT3W4MYSNANCNFSM6AAAAAAURAXMSA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[AntoineLelaisant]

Fixed in #469

[psmoros]

Hi @AntoineLelaisant can you please attribute credit to @nightfury99 instead of me? Also should we attribute a CVE for the finding? :)

[AntoineLelaisant]

Credits updated 😉!

We already asked for a CVE from Github to be generated. It should be provided within 3 working days.

Thanks for your reporting!

[nightfury99]

Hi @AntoineLelaisant <https://github.com/AntoineLelaisant> thank you for generating the CVE 🥳. If possible, I would like to insert my company name as well NetbyteSec <http://www.netbytesec.com> into the credit. Sorry for the late reply. Thank you.

…

On Fri, 17 Mar 2023 at 11:15 PM, Antoine Lelaisant ***@***.***> wrote: Credits updated 😉! We already asked for a CVE from Github to be generated. It should be provided within 3 working days. Thanks for your reporting! — Reply to this email directly, view it on GitHub <#465 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHV5HZQHJE5W3B24H3T63CLW4R5XXANCNFSM6AAAAAAURAXMSA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[nightfury99]

Hi, can I have update for this, if this is not possible, do let me know, thank you. On Wed, 29 Mar 2023 at 7:25 PM, ahmad shauqi ***@***.***> wrote:

…

Hi @AntoineLelaisant <https://github.com/AntoineLelaisant> thank you for generating the CVE 🥳. If possible, I would like to insert my company name as well NetbyteSec <http://www.netbytesec.com> into the credit. Sorry for the late reply. Thank you. On Fri, 17 Mar 2023 at 11:15 PM, Antoine Lelaisant < ***@***.***> wrote: > Credits updated 😉! > > We already asked for a CVE from Github to be generated. It should be > provided within 3 working days. > > Thanks for your reporting! > > — > Reply to this email directly, view it on GitHub > <#465 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AHV5HZQHJE5W3B24H3T63CLW4R5XXANCNFSM6AAAAAAURAXMSA> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >