oss-sec mailing list archives

CVE-2018-21036: Sails.js before v1.0.0-46 DoS

From: ali.of.south () keemail me
Date: Sun, 19 Jul 2020 00:24:26 +0200 (CEST)

Hello,

Sails.js (https://sailsjs.com/) <https://sailsjs.com/> before v1.0.0-46 allows attackers to cause a denial of service 
with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a 
WebSocket request.
[Affected Product Code Base]
Sails.js - < v1.0.0-46
sails-hook-sockets - < 1.5.5

[Attack Vectors]
To exploit vulnerability, attacker should make a request with malformed URL to the socket.

[Reproducing]
1. generate a default sails app.
2. sails lift
3. open app in the browser.
4. open the browser console.
5. execute this code: io.socket.get('?').

[Reference]
- https://github.com/balderdashy/sails-hook-sockets/commit/ff02114eaec090ee51db48435cc32d451662606e
- https://github.com/balderdashy/sails-hook-sockets/commit/0533a4864b1920fd8fbb5287bc0889193c5faf44
- https://github.com/balderdashy/sails/blob/56f8276f6501a144a03d1f0f28df4ccdb4ad82e2/CHANGELOG.md

Thanks,
Ali Norouzi

Current thread:

CVE-2018-21036: Sails.js before v1.0.0-46 DoS ali . of . south (Jul 19)