GHSA-342Q-2MC2-5GMP

Vulnerability from github – Published: 2024-07-15 17:47 – Updated: 2024-11-18 16:26
VLAI?
Summary
@jmondi/url-to-png enables capture screenshot of localhost web services (unauthenticated pages)
Details

Summary

The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service.

The package includes an ALLOW_LIST where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed.

The maintainer is of the opinion that the package should also have a blacklist due to a potential vulnerability (or rather design oversight). If someone hosts this on a server, users could then capture screenshots of other web services running locally.

Unless this is strictly for web pages. Something similar here: https://github.com/follow-redirects/follow-redirects/issues/235 (localhost is intended for end users or hosts to deny, and the package is for HTTP/HTTPS.)

This is marked as a LOW since the maintainer is not sure if this is a vulnerability, but it's still best to highlight it. :)

PoC

Have a service like so running locally:

const http = require("http")

const server = http.createServer((req, res) => {
  console.log("Received headers:", req.headers)
  res.writeHead(200, { "Content-Type": "text/plain" })
  res.end("Something private! But Hello from Server 2 :)")
})

server.listen(3001, () => {
  console.log("Server two running on http://localhost:3001")
})

Run the package in dev mode, pnpm dev. Feed these URLs:

http://localhost:3089/?url=http://[::]:3001&width=4000
http://localhost:3089/?url=http://localhost:3001&width=4000
http://localhost:3089/?url=http://127.0.01:3001&width=4000

image

Impact

Disclose internal web services?

Severity ?
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
6.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@jmondi/url-to-png"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-15T17:47:00Z",
    "nvd_published_at": "2024-07-15T20:15:04Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service.\n\nThe package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed.\n\nThe maintainer is of the opinion that the package should also have a blacklist due to a potential vulnerability (or rather design oversight). If someone hosts this on a server, users could then capture screenshots of other web services running locally.\n\nUnless this is strictly for web pages. Something similar here: https://github.com/follow-redirects/follow-redirects/issues/235 (localhost is intended for end users or hosts to deny, and the package is for HTTP/HTTPS.)\n\nThis is marked as a `LOW` since the maintainer is not sure if this is a vulnerability, but it\u0027s still best to highlight it. :) \n\n### PoC\n\nHave a service like so running locally:\n\n```js\nconst http = require(\"http\")\n\nconst server = http.createServer((req, res) =\u003e {\n  console.log(\"Received headers:\", req.headers)\n  res.writeHead(200, { \"Content-Type\": \"text/plain\" })\n  res.end(\"Something private! But Hello from Server 2 :)\")\n})\n\nserver.listen(3001, () =\u003e {\n  console.log(\"Server two running on http://localhost:3001\")\n})\n```\n\nRun the package in dev mode, `pnpm dev`. Feed these URLs:\n\n```\nhttp://localhost:3089/?url=http://[::]:3001\u0026width=4000\nhttp://localhost:3089/?url=http://localhost:3001\u0026width=4000\nhttp://localhost:3089/?url=http://127.0.01:3001\u0026width=4000\n```\n\n\u003cimg width=\"622\" alt=\"image\" src=\"https://github.com/jasonraimondi/url-to-png/assets/42532003/21f1c883-ba00-4a15-83b8-922484fa4c2b\"\u003e\n\n\n\n### Impact\nDisclose internal web services?\n",
  "id": "GHSA-342q-2mc2-5gmp",
  "modified": "2024-11-18T16:26:52Z",
  "published": "2024-07-15T17:47:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-342q-2mc2-5gmp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39919"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jasonraimondi/url-to-png/commit/f62ff40403ffa1781459d6be8d97b8035888c00c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jasonraimondi/url-to-png"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@jmondi/url-to-png enables capture screenshot of localhost web services (unauthenticated pages)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.