You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by GitBox <gi...@apache.org> on 2020/06/19 16:59:43 UTC

[GitHub] [cordova-serve] huntr-helper opened a new issue #36: Security Notice & Bug Bounty - Remote Code Execution - huntr.dev

huntr-helper opened a new issue #36:
URL: https://github.com/apache/cordova-serve/issues/36


   This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)
   
   # Overview
   
   [cordova-serve](https://github.com/apache/cordova-serve) provides a JavaScript API to serve up a Cordova application in the browser.
   
   The issue occurs because a `user input` is formatted inside a `command` that will be executed without any check.
   
   
   
   # Bug Bounty
   
   We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/
   
   We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚
   
   _Automatically generated by @huntr-helper..._


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-serve] JamieSlome commented on issue #36: Security Notice & Bug Bounty - Remote Code Execution - huntr.dev

Posted by GitBox <gi...@apache.org>.

JamieSlome commented on issue #36:
URL: https://github.com/apache/cordova-serve/issues/36#issuecomment-649548408


   Hey @purplecabbage - whilst the attack vector might be unclear, it is clearly an unintended behaviour as mentioned in https://github.com/apache/cordova-serve/pull/37#pullrequestreview-437053977.
   
   Please let me know if you have any more questions! 🍰 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-serve] huntr-helper commented on issue #36: Suspected Vulnerability & Bug Bounty - External Code Execution - huntr.dev

Posted by GitBox <gi...@apache.org>.

huntr-helper commented on issue #36:
URL: https://github.com/apache/cordova-serve/issues/36#issuecomment-732187706


   ### Bug Bounty
   
   We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability? Go to https://huntr.dev/
   
   We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚
   
   _Automatically generated by @huntr-helper..._


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-serve] huntr-helper commented on issue #36: Security Notice & Bug Bounty - Remote Code Execution - huntr.dev

Posted by GitBox <gi...@apache.org>.

huntr-helper commented on issue #36:
URL: https://github.com/apache/cordova-serve/issues/36#issuecomment-648752851


   ‎‍🛠️ A fix has been provided for this issue. Please reference: https://github.com/418sec/cordova-serve/pull/2
   
   🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-serve] purplecabbage commented on issue #36: Security Notice & Bug Bounty - Remote Code Execution - huntr.dev

Posted by GitBox <gi...@apache.org>.

purplecabbage commented on issue #36:
URL: https://github.com/apache/cordova-serve/issues/36#issuecomment-649066476


   So you are saying that a user could hack their own machine?  What would be the point of reaching through cordova-serve to execute code when you could just execute the code?
   
   Vulnerabilities should be submitted through the normal channels. 
   Please see http://www.apache.org/security/
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-serve] huntr-helper commented on issue #36: Suspected Vulnerability & Bug Bounty - External Code Execution - huntr.dev

Posted by GitBox <gi...@apache.org>.

huntr-helper commented on issue #36:
URL: https://github.com/apache/cordova-serve/issues/36#issuecomment-732187260


   ### Bug Bounty
   
   We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability? Go to https://huntr.dev/
   
   We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚
   
   _Automatically generated by @huntr-helper..._


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-serve] huntr-helper removed a comment on issue #36: Suspected Vulnerability & Bug Bounty - External Code Execution - huntr.dev

Posted by GitBox <gi...@apache.org>.

huntr-helper removed a comment on issue #36:
URL: https://github.com/apache/cordova-serve/issues/36#issuecomment-732187706






----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org