Skip to content

Mina Monitor v2.2.2

Latest
Compare
Choose a tag to compare
@olton olton released this 18 Jul 07:33
· 1 commit to master since this release

CrisF: Vulnerability Report - Mina Node Monitor

I’ll add information reported here:
through node js you can get any file from the host
all monitor versions are affected since December 14, 2021 commit 7ee51e82d885af951fcb7ef5f9139d7ebc072d50

  https://github.com/olton/mina-node-monitor/commit/7ee51e82d885af951fcb7ef5f9139d7ebc072d50

This is a feature of the nodejs (actually HTTP protocol), developers using it as a server must take care of security themselves.

  https://github.com/olton/mina-node-monitor/blob/552607a18b3e91e66f7c9e1e14ade1643b23685f/server/index.js#L92

 this code line
he doesn't sanitaze url from ".."
so attacker can get any file from host

Fixed, completely removed the code with this vulnerability