How to get in touch regarding a security concern

Question

How to get in touch regarding a security concern

psmoros opened this issue a year ago · comments

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@nightfury99) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

Antoine Lelaisant · Answer 1 · Thu Mar 16 2023 23:45:32 GMT+0800 (China Standard Time)

Thanks for the feedback! I just configure the security policy https://github.com/KnpLabs/snappy/blob/master/SECURITY.md. Looking forward to hear from you!

nightfury99 · Answer 2 · Fri Mar 17 2023 09:16:26 GMT+0800 (China Standard Time)

Hi I'm Shauqi from netbytesecurity. I would like to report a security issues in knplabs/snappy v1.4.1 It is also reported via huntr.dev platform, link https://huntr.dev/bounties/b2c2743b-9d2c-4549-bfdd-782d13e86967/ Vulnerability Name: Phar Deserialization of Untrusted Data Vulnerability Description: snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_exists() function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the generateFromHtml() function, it will invoke deserialization. Impact: This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. For details explaination please refer to huntr.dev at the given link above. I would love to hear from you soon. Thank you. Regards, Shauqi

…

On Thu, 16 Mar 2023 at 11:45 PM, Antoine Lelaisant ***@***.***> wrote: Thanks for the feedback! I just configure the security policy https://github.com/KnpLabs/snappy/blob/master/SECURITY.md. Looking forward to hear from you! — Reply to this email directly, view it on GitHub <#465 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHV5HZTG3M4ZJEQ27VPZAT3W4MYSNANCNFSM6AAAAAAURAXMSA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Antoine Lelaisant · Answer 3 · Fri Mar 17 2023 22:52:40 GMT+0800 (China Standard Time)

Fixed in #469

Pavlos · Answer 4 · Fri Mar 17 2023 23:00:08 GMT+0800 (China Standard Time)

Hi @AntoineLelaisant can you please attribute credit to @nightfury99 instead of me? Also should we attribute a CVE for the finding? :)

Antoine Lelaisant · Answer 5 · Fri Mar 17 2023 23:14:56 GMT+0800 (China Standard Time)

Credits updated 😉!

We already asked for a CVE from Github to be generated. It should be provided within 3 working days.

Thanks for your reporting!

nightfury99 · Answer 6 · Wed Mar 29 2023 19:25:37 GMT+0800 (China Standard Time)

Hi @AntoineLelaisant <https://github.com/AntoineLelaisant> thank you for generating the CVE 🥳. If possible, I would like to insert my company name as well NetbyteSec <http://www.netbytesec.com> into the credit. Sorry for the late reply. Thank you.

…

On Fri, 17 Mar 2023 at 11:15 PM, Antoine Lelaisant ***@***.***> wrote: Credits updated 😉! We already asked for a CVE from Github to be generated. It should be provided within 3 working days. Thanks for your reporting! — Reply to this email directly, view it on GitHub <#465 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHV5HZQHJE5W3B24H3T63CLW4R5XXANCNFSM6AAAAAAURAXMSA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

nightfury99 · Answer 7 · Sat Apr 01 2023 12:24:55 GMT+0800 (China Standard Time)

Hi, can I have update for this, if this is not possible, do let me know, thank you. On Wed, 29 Mar 2023 at 7:25 PM, ahmad shauqi ***@***.***> wrote:

…

Hi @AntoineLelaisant <https://github.com/AntoineLelaisant> thank you for generating the CVE 🥳. If possible, I would like to insert my company name as well NetbyteSec <http://www.netbytesec.com> into the credit. Sorry for the late reply. Thank you. On Fri, 17 Mar 2023 at 11:15 PM, Antoine Lelaisant < ***@***.***> wrote: > Credits updated 😉! > > We already asked for a CVE from Github to be generated. It should be > provided within 3 working days. > > Thanks for your reporting! > > — > Reply to this email directly, view it on GitHub > <#465 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AHV5HZQHJE5W3B24H3T63CLW4R5XXANCNFSM6AAAAAAURAXMSA> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >