Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype Pollution #44

Closed
msrkp opened this issue May 14, 2021 · 13 comments
Closed

Prototype Pollution #44

msrkp opened this issue May 14, 2021 · 13 comments

Comments

@msrkp
Copy link

msrkp commented May 14, 2021

I'm submitting a bug report

parseQueryString of aurelia path is vulnerable to prototype pollution.

POC
aurelia blog is using parseQueryString to parse location.search, so it is vulnerable to prototype pollution

  1. Open the following URL: https://aurelia.io/blog/?__proto__[asdf]=asdf
  2. Open Devtools Console, and check the Object.prototype
  3. You can notice Object being polluted with the "asdf" property.
@bigopon
Copy link
Member

bigopon commented May 14, 2021

@msrkp thanks for the issue. Will be fixed soon.

@tylerdotson
Copy link

Is there an update on when this will be fixed?

@bigopon
Copy link
Member

bigopon commented Jun 9, 2021

Fixed in my local, doing some cleanup and deps upgrade. Will get this in soon

@tylerdotson
Copy link

Thank you, @bigopon! Your hard work is greatly appreciated! Do you know when the next release will be?

@bigopon
Copy link
Member

bigopon commented Jun 10, 2021

@tylerdotson probably in a few days. I'll work with @EisenbergEffect to do a release for this.

@msrkp
Copy link
Author

msrkp commented Jun 18, 2021

@bigopon the fix can be bypassed with
__proto__=x&0[xxx]=xxx

@bigopon
Copy link
Member

bigopon commented Jun 19, 2021

@msrkp thanks for catching that! It's fixed in the latest commit.

@bigopon bigopon closed this as completed in 7c4e235 Jul 1, 2021
@msrkp
Copy link
Author

msrkp commented Sep 21, 2021

Hi @bigopon,
Is it possible to get Github security advisory or CVE for this bug?

@bigopon
Copy link
Member

bigopon commented Sep 26, 2021

Hi @msrkp, the advisory has been created GHSA-3c9c-2p65-qvwv
I'm not familiar with the process, can you help check if there's something missing?

@msrkp
Copy link
Author

msrkp commented Sep 26, 2021

Hi @bigopon ,

Awesome, thanks.
By the way, I read in GitHub docs you can request for CVE, can you please do that?

If you don't already have a CVE identification number for the security vulnerability in your project, you can request a CVE identification number from GitHub. GitHub usually reviews the request within 72 hours. Requesting a CVE identification number doesn't make your security advisory public. If your security advisory is eligible for a CVE, GitHub will reserve a CVE identification number for your advisory. We'll then publish the CVE details after you publish the security advisory.

More details are available here https://docs.github.com/en/code-security/security-advisories/publishing-a-security-advisory

Thanks and Regards,
s1r1us

@bigopon
Copy link
Member

bigopon commented Sep 26, 2021

That is also done. I wasn't sure whether it's needed after creating the advisory. Thanks for the reply.

@mukundbhuva
Copy link

Hello,

It is still not fix in live host
Browser: firefox
POC : https://aurelia.io/blog/404/?__proto__[test]=test

@bigopon
Copy link
Member

bigopon commented Jun 2, 2022
edited

Thanks @mukundbhuva . The site code needs to be rebuilt. Will do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bigopon @msrkp @tylerdotson @mukundbhuva