Hello mates, this is my first write-up.
Let’s keep it simple, most of the people who are reading this might have struggled a lot or is still fighting to find his/her first bug. Well I’ve a good news for you, it’s all about how you can earn some extra bucks with open-source bug bounty. Yeah, you heard that right - bounty for vulnerabilities in open-source projects.
Introducing huntr.dev, a bug bounty board for securing open-source code, it helps the open-source community to disclose and fix security issues and get paid to do it. I’ve been using it for few months and the experience is pretty amazing. I was able to disclose over 40 and fixed over 90 security issues (including npm packages that has 250k average downloads per week). 2 CVE IDs were assigned to me for my findings in packages nested-object-assign and apexcharts. Check them out here!
If you like reading code or want to secure the open-source code (but for some $$$😅), join huntr now!
require('express') in github. Use filters to get recently active projects.
I was reading code of all the Mailtrain’s routes to identify available features. One of the route handlers is
If you are little bit familiar with express.js, you would say that the line 103 simply renders a template named
create-select-template. And what about
reqData? Yeah that’s right, it’s an object that has all the query string parameters passed to this route. So basically it is whatever a user gives as GET parameters.
But this simple line of code doesn’t seems to be vulnerable to anything right?
When I saw this, one of the write-ups I read few months ago came into my mind. If you are interested in knowing about the root cause of the issue, read it here (you’ll be amazed to see how a simple feature can be turned into a critical vulnerability if misused).
TL;DR: If an express server is using
hbs as view engine for server-side rendering and it allowes user-constructed query string parameters without validation to get passed to express’s
render() function, an attacker can use parameter called
layout to read arbitrary files in the web server.
If you read the source above, you can see that it uses
hbs. At this moment, I was sure it is vulnerable. To test it, I setup Mailtrain locally. Since access to this route requires authentication, the default creds from the repo can be used. With a little curiosity, I gave the
layout parameter and got what I expected.
Yeah! Directory traversal🔥. With that, reading local files was easy as…
Within few days, the maintainer of Mailtrain reviewed and accepted it. And I got the💰.
I’ve also requested a CVE for this bug and waiting to hear back from the CNA.
That’s all for now. Stay safe❤️.