-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
huntr.dev - Command Injection #66
Comments
Hi @Mik317 Please see
I'm open to a PR and have tagged this Up for Grabs. The way to do this properly is probably to whitelist all permutations of |
@michaelsanford - please see #67 for a suggested fix! 🍰 |
Hi @michaelsanford :), I saw the fix that has been proposed, and I can confirm the issue is fixed properly through this. Best, Mik |
This commit address the issues mentioned Node-Virtualization#66 (comment) & https://app.codacy.com/manual/michaelsanford/node-virtualbox/pullRequest?prid=5341369.
@Mik317 @colonelpopcorn - I have made the code quality changes requested and updated the Let me know your thoughts and if you are happy to merge! 🍰 |
This one's been merged in! |
This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)
Vulnerability Description
The issue occurs because a
user input
is formatted inside acommand
that will be executed without any check. The issue arises here: https://github.com/Node-Virtualization/node-virtualbox/blob/master/lib/virtualbox.js#L58Steps To Reproduce:
HACKED
HACKED
has been createdBug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/
The text was updated successfully, but these errors were encountered: