advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

[GHSA-pg6w-hq9f-wfwr] resumable.php (aka PHP backend for resumable.js) 0.1.4...

Open williamdes opened this issue 2 years ago • 12 comments

Updates

  • Affected products
  • CWEs
  • Description
  • Severity
  • Source code location
  • Summary

Comments I am the CVE reporter

williamdes avatar Dec 27 '23 10:12 williamdes

Hi there, I think I follow on adding the package dilab/resumable.php, but how do you justify the other packages being added? They seem unrelated to me.

darakian avatar Jan 05 '24 22:01 darakian

Hi there, I think I follow on adding the package dilab/resumable.php, but how do you justify the other packages being added? They seem unrelated to me.

I did search for forked repositories and projects using the same code They should also be warned they are vulnerable. Since they copy pasted the code or the vulnerable parts.

williamdes avatar Jan 05 '24 23:01 williamdes

I see. They could differ such that they are not affected though correct? The CVE itself also states

File overwrite hasn't been possible with the code available in GitHub in recent years, however.

Which would imply that any recent forks are not subject to this vuln.

darakian avatar Jan 06 '24 00:01 darakian

Which would imply that any recent forks are not subject to this vuln.

Well, that was me adding contact to CVE request. But that's not how it should be understood. Recent forks are less highly vulnerable but still vulnerable. You still can create files, but not overwrite them.

I see. They could differ such that they are not affected though correct?

Most probably, I can script something to check each of them if you prefer

williamdes avatar Jan 06 '24 09:01 williamdes

Well, that was me adding contact to CVE request. But that's not how it should be understood. Recent forks are less highly vulnerable but still vulnerable. You still can create files, but not overwrite them.

Gotcha. I guess those file creations would also be limited by the scope of the running process as well.

Most probably, I can script something to check each of them if you prefer

Ya that'd be cool. A minimal POC I can validate against the packagist packages would be great.

darakian avatar Jan 08 '24 18:01 darakian

Still on my TODO list 👍🏻

williamdes avatar Jan 23 '24 10:01 williamdes

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

taladrane avatar Feb 09 '24 16:02 taladrane

Can you apply my suggested change @darakian ? I think it is better to apply this PR as is without the packages and improve the affected packages in another PR

williamdes avatar Feb 11 '24 13:02 williamdes

Sorry, I may have missed the POC. Can you point me at it?

darakian avatar Feb 12 '24 19:02 darakian

Sorry, I may have missed the POC. Can you point me at it?

There is no POC for now, atleast for the forked repos. But for the main repo there is a POC: https://github.com/dilab/resumable.php/pull/39/commits/408f54dff10e48befa44d417933787232a64304b

williamdes avatar Feb 22 '24 22:02 williamdes

I see, but based on the conversation we had up here https://github.com/github/advisory-database/pull/3214#issuecomment-1879604807 I was under the impression that we agreed that the forks could have different impact given that they may have forked off of more recent/fixed code.

darakian avatar Feb 23 '24 19:02 darakian

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

taladrane avatar Mar 10 '24 00:03 taladrane

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

taladrane avatar Mar 27 '24 00:03 taladrane

I see, but based on the conversation we had up here #3214 (comment) I was under the impression that we agreed that the forks could have different impact given that they may have forked off of more recent/fixed code.

And I said that I prefer to do a first PR with the repository we know has the security issue. And maybe one day do another one with a POC to add more. See https://github.com/github/advisory-database/pull/3214#issuecomment-1937758574 And https://github.com/github/advisory-database/pull/3214#discussion_r1485597289

williamdes avatar Mar 27 '24 12:03 williamdes

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

taladrane avatar Apr 12 '24 00:04 taladrane