GHSA-78p3-fwcq-62c2: @saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defstring` parameters when setting localizer strings

October 3, 2024

The endpoint /site-structure/localizer/save-string/:lang/:defstring accepts two parameter values: lang and defstring. These values are used in an unsafe way to set the keys and value of the cfgStrings object. It allows to add/modify properties of the Object prototype that result in several logic issues, including:

RCE vulnerabilities by polluting the tempRootFolder property
SQL injection vulnerabilities by polluting the schema property when using PostgreSQL database.

References

github.com/advisories/GHSA-78p3-fwcq-62c2
github.com/saltcorn/saltcorn
github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/infoarch.js
github.com/saltcorn/saltcorn/commit/9e066ae8ba317469053cc27e95dcdf5b6e60e12d
github.com/saltcorn/saltcorn/security/advisories/GHSA-78p3-fwcq-62c2

Detect and mitigate GHSA-78p3-fwcq-62c2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →