Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fix for Resources Downloaded over Insecure Protocol - huntr.dev #9

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Security Fix for Resources Downloaded over Insecure Protocol - huntr.dev #9

wants to merge 9 commits into from

Conversation

huntr-helper
Copy link

https://huntr.dev/users/Mik317 has fixed the Resources Downloaded over Insecure Protocol vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#3
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/resourcehacker/1/README.md

User Comments:

Bounty URL: https://www.huntr.dev/bounties/1-npm-resourcehacker

⚙️ Description *

The resourcehacker module was downloading a resource from an insecure HTTP server, which made possible MITM attacks and similar attack vectors.
The certificate of the host wasn't valid, making impossible fixing the issue just replacing the http version of the resource, and the 512 sha hash check wasn't really good if any update occurred 😄

💻 Technical Description *

I simply inserted the zipped file in the repo, in order to make possible downloading the file from the GitHub servers, which have a valid certificate and it's secured under HTTPS.
This will make possible installing always the latest version of the updated file (that's why I didn't remove the download process even if the zip file is in the repo).

Notes: If the fix will be merged by the author, it's necessary changing the link of the resource in order to index its repo 👍

🐛 Proof of Concept (PoC) *

No needed

🔥 Proof of Fix (PoF) *

No needed

👍 User Acceptance Testing (UAT)

All works OK and the file is unzipped successfully 👍

@felicienfrancois
Copy link
Owner

  • Do you have the authorization from the Software author to serve it from your github ?

From the software license published on his website :
This software is not to be distributed via any website domain or any other media without the prior written approval of the copyright owner.

  • Are you willing to keep it up-to-date on your github (i.e; update your github upon new release) ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@huntr-helper @felicienfrancois @Mik317