Skip to main content

Vulnerabilities in dependencies used in projects

 Vulnerabilities in dependencies used in projects

The case of 4Chan

  • never updated any dependencies since 2009
  • one dependency used was publicly-known to have multiple critical vuln
  • Local File Inclusion - process pdf files but never checked if the pdf is actually pdf
  • Remote code execution - after injecting. can run scripts on the server
  • The modern wake up call - this event reminded everyone to stay up to date with dependencies updates


Dependencies we’re using:

  • mPDF - fixed
    • vuln for versions lower than 7.1.8
    • deserialization of untrusted data - similar with how 4chan got hacked
  • aws/aws-sdk-php - fixed
    • path traversal
      • vuln for versions lower than 3.288.1
      • can go back and open directories that are not public
    • arbitrary code execution
      • vuln for versions lower than 3.2.1


Best practices:

  1. stay up to date with the tech world
    1. join forums like reddit and stackoverflow
  2. check websites that publish security reports
    1. snyk security - https://security.snyk.io/vuln/
  3. regularly audit dependencies
    1. update if needs to



Labels:

Comments

Post a Comment

Popular posts from this blog

Setup existing IONIC project in local

Setup existing IONIC project in local  Steps: clone git repo install ionic -  npm install -g @ionic/cli masuk folder repo project install npm dependencies -  npm install run ionic project -  ionic serve buka android studio / xcode -  ionic cap open $var  - $var = ‘android’ atau ‘ios’. ada dua je option, replace $var dgn dua option tu sync changes vscode & dkt android studio / xcode -  ionic cap sync good luck Common issues: dependency conflict check https://www.npmpeer.dev/ utk tengok version yg compatible try naikkan/turunkan version dependency yg keluar dkt error. tembak je sampai hilang error g radle issue try upgrade gradle. kalau tak boleh, try remove folder android & build semula e rror cocoapod make sure install xcode make sure install cocoapod error java  home not found utk mac, buka ~/.zshrc & masukkan chang es dkt VSC tak masuk android studio / xcode try ionic cap sync try quit & buka semula cordo va.variables.gradle no...
Post a Comment
Read more

🪄 Useful git spells

Navigating the world of Git can be akin to mastering an arcane art. For the savvy developer, knowing the right incantations can mean the difference between seamless collaboration and catastrophic code conflicts. Here's a compendium of Git commands that are essential for those critical moments. Handle them with care, for they wield great power. Reverting to a Specific Commit (Non-Shared Branches Only) When you need to undo changes and return to a known good state: `git reset --hard <commit-hash>` - This will reset your branch to the specified commit. `git push -f origin` - Force push the changes to overwrite the remote branch. Merging Branches Like a Pro To incorporate changes from one branch into another, follow these steps: `git checkout <branch-to-merge-to>` - Switch to the branch you want to update. `git fetch origin` - Fetch the latest changes from the remote. `git pull` - Pull the latest changes into your local branch. `git status` - Check the status of your branch...
Post a Comment
Read more