Skip to main content

Vulnerabilities in Dependencies

Vulnerabilities in Dependencies - A Lesson from 4Chan


Case Study: The 4Chan Security Breach

The Neglect

4Chan had not updated its project dependencies since 2009.

The Vulnerability

One specific dependency was publicly known to have multiple critical vulnerabilities: Ghostscript. Ghostscript Vulnerability Reports (Snyk)

Attack Vectors:

  • Local File Inclusion (LFI): The system processed PDF files without verifying if the uploaded file was actually a PDF.
  • Remote Code Execution (RCE): After a successful injection, attackers could run malicious scripts directly on the server.

The Wake-Up Call

This event serves as a modern reminder of the critical importance of keeping dependencies up to date.


Dependencies Audit & Status

These are some of the dependencies commonly used.

mPDF (Fixed)

  • Vulnerability: Deserialization of untrusted data (similar to the 4Chan/Ghostscript exploit).
  • Risk: Affects all versions lower than 7.1.8.

aws/aws-sdk-php (Fixed)

  • Path Traversal
    • Affects versions lower than 3.288.1.
    • Allows attackers to navigate and open directories that are not public.
  • Arbitrary Code Execution
    • Affects versions lower than 3.2.1.


Best Practices for Security

Stay Informed

  • Keep pace with the tech world by joining professional communities.
  • Participate in forums like Reddit and Stack Overflow.

Monitor Security Reports

  • Regularly check websites that publish vulnerability databases.
  • Snyk Security: https://security.snyk.io/vuln/

Regular Audits

  • Perform routine audits of all project dependencies.
  • Update immediately when security patches are released.


Labels:

Comments

Post a Comment

Popular posts from this blog

Setup existing IONIC project in local

Setup existing IONIC project in local  Steps: clone git repo install ionic -  npm install -g @ionic/cli masuk folder repo project install npm dependencies -  npm install run ionic project -  ionic serve buka android studio / xcode -  ionic cap open $var  - $var = ‘android’ atau ‘ios’. ada dua je option, replace $var dgn dua option tu sync changes vscode & dkt android studio / xcode -  ionic cap sync good luck Common issues: dependency conflict check https://www.npmpeer.dev/ utk tengok version yg compatible try naikkan/turunkan version dependency yg keluar dkt error. tembak je sampai hilang error g radle issue try upgrade gradle. kalau tak boleh, try remove folder android & build semula e rror cocoapod make sure install xcode make sure install cocoapod error java  home not found utk mac, buka ~/.zshrc & masukkan chang es dkt VSC tak masuk android studio / xcode try ionic cap sync try quit & buka semula cordo va.variables.gradle no...
Post a Comment
Read more

🗑️ Clear storage Mac OS

  🗑️ Clear storage Mac OS 1: Clear system cache: Go to Finder > Go > Go to Folder, then type in "~/Library/Caches" and hit enter. Select all the folders inside the Caches folder and delete them. 2: Clear system logs: Go to Finder > Go > Go to Folder, then type in "/var/log" and hit enter. Select all the files inside the Log folder and delete them. 3: Remove unused language files: Go to Finder > Go > Go to Folder, then type in "/Library/Languages" and hit enter. Delete all the language folders you don't need. 4: Uninstall unused apps: Go to the Applications folder and delete the apps you don't use. 5: Clean up system files: Use a system cleaning tool like CleanMyMac X to scan and remove unnecessary system files. 6: If you have npm installed, clear the caches once in a while with ‘sudo npm cache clean --force’ 7: If you have ionic projects, open the ‘.angular’ folder and delete the ‘cache’ folder inside it.
Post a Comment
Read more