Skip to content
This repository has been archived by the owner on Sep 1, 2023. It is now read-only.

Bundled alchemist-server is vulnerable to remote code execution #85

Closed
ivan opened this issue Feb 21, 2017 · 4 comments
Closed

Bundled alchemist-server is vulnerable to remote code execution #85

ivan opened this issue Feb 21, 2017 · 4 comments
Labels
bug help wanted

Comments

@ivan
Copy link

ivan commented Feb 21, 2017

alchemist.vim includes an alchemist-server vulnerable to unauthenticated remote code execution (see tonini/alchemist-server#14). It's unfixed as of now, but I'm opening this tracking issue as a (hopefully useful) reminder to update alchemist-server once that bug is fixed.
slashmili added a commit that referenced this issue Feb 23, 2017
@slashmili
Fix remote code execution vulnerability
45f2c96 
Disable EVAL command as it is open to remote code execution vulnerability #85
@slashmili
Copy link
Owner

@ivan thanks for reporting it.

I removed EVAL command from this repo since we don't use it directly here!

@ivan
Copy link
Author

ivan commented Feb 23, 2017

See tonini/alchemist-server#14 (comment)

@ivan
Copy link
Author

ivan commented Feb 25, 2017

I think this should be reopened because "anyone" can still execute code on the machines of alchemist.vim users.

@slashmili slashmili reopened this Feb 27, 2017
@slashmili
Copy link
Owner

Fixed in 2.8.0. Please update your plugin

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ivan @slashmili