Hello everyone,
Two vulnerabilities have been disclosed to Plug. Applications that provide
file uploading functionality to a local filesystem are advised to upgrade
immediately. Upgrade is also recommended for any other application that
uses Plug, to ensure they follow the latest and best security practices.
We have released new Plug versions v1.0.4, v1.1.7, v1.2.3 and v1.3.2. If
you can't upgrade immediately, we also include fixes you can directly add
to your applications.
## Null Byte Injection in Plug.Static
Plug.Static is used for serving static assets, and is vulnerable to null
byte injection. If file upload functionality is provided, this can allow
users to bypass filetype restrictions.
We recommend all applications that provide file upload functionality and
serve those uploaded files locally with Plug.Static to upgrade immediately
or include the fix below. If uploaded files are rather stored and served
from S3 or any other cloud storage, you are not affected.
* Versions affected: Plug v1.3.1, v1.3.0, v1.2.2, v1.2.1, v1.2.0, v1.1.6,
v1.1.5, v1.1.4, v1.1.3, v1.1.2, v1.1.1, v1.1.0, v1.0.3, v1.0.2, v1.0.1,
v1.0.0
* Versions fixed: Plug v1.3.2+, v1.2.3+, v1.1.7+, v1.0.4+
* Author: Griffin Byatt <griffin.byatt[at]nccgroup[dot]trust>
* Thanks to: Chip Durland, Raviv Cohen and Matthew Diaz
### Temporary fix
Identify where `plug Plug.Static` is invoked in your application (in a
Phoenix application this means the MyApp.Endpoint) and add the following
lines **before** `plug Plug.Static`:
plug :safe_plug_static
defp safe_plug_static(conn, _) do
Enum.any?(conn.path_info, &URI.decode(&1) =~ <<0>>) && raise "invalid
path"
conn
end
## Arbitrary Code Execution in Cookie Serialization
The default serialization used by Plug session may result in code execution
in certain situations. Keep in mind, however, the session cookie is signed
and this attack can only be exploited if the attacker has access to your
secret key as well as your signing/encryption salts. We recommend users to
change their secret key base and salts if they suspect they have been
leaked, regardless of this vulnerability.
* Versions affected: Plug v1.3.1, v1.3.0, v1.2.2, v1.2.1, v1.2.0, v1.1.6,
v1.1.5, v1.1.4, v1.1.3, v1.1.2, v1.1.1, v1.1.0, v1.0.3, v1.0.2, v1.0.1,
v1.0.0
* Versions fixed: Plug v1.3.2+, v1.2.3+, v1.1.7+, v1.0.4+
* Author: Griffin Byatt <griffin.byatt[at]nccgroup[dot]trust>
* Thanks to: Matthew Diaz
### Temporary fix
If you can't upgrade immediately, you can temporarily protect yourself by
using a custom serializer `Plug.Session` serializer.
plug Plug.Session, serializer: MyApp.SafeSerializer
Where `MyApp.SafeSerializer` is defined as:
defmodule SafeSerializer do
def encode(term) do
{:ok, :erlang.term_to_binary(term)}
end
def decode(binary) do
try do
{:ok, safe_terms(:erlang.binary_to_term(binary))}
rescue
_ -> :error
end
end
defp safe_terms(list) when is_list(list) do
for item <- list, do: safe_terms(item)
list
end
defp safe_terms(tuple) when is_tuple(tuple) do
safe_tuple(tuple, tuple_size(tuple))
tuple
end
defp safe_terms(map) when is_map(map) do
for {key, value} <- map do
safe_terms(key)
safe_terms(value)
end
map
end
defp safe_terms(other) when is_atom(other) or is_number(other) or
is_binary(other) or
is_pid(other) or is_reference(other) do
other
end
defp safe_terms(other) do
raise ArgumentError, "cannot deserialize #{inspect other}, the term
is not safe for deserialization"
end
defp safe_tuple(tuple, 0), do: :ok
defp safe_tuple(tuple, n), do
safe_terms(:erlang.element(n, tuple))
safe_tuple(tuple, n - 1)
end
end
## Final remarks
We want to thank the NCC Group for reporting those vulnerabilities.
NCC Group is a global expert in cyber security and risk mitigation, working
with businesses to protect their brand, value and reputation against the
ever-evolving threat landscape. Our Security Consulting services leverage
our extensive knowledge of current security vulnerabilities, penetration
testing techniques and software development best practices to enable
organizations to secure their applications against ever-present threats. At
NCC Group we can boast unrivaled talent and recognized world-class security
expertise. Bringing together best in class security consultancies iSEC
Partners, Intrepidus Group, Matasano, NCC Group and NGS we have created one
of the largest, most respected security consultancies in the world.
*José Valim*
www.plataformatec.com.br
Skype: jv.ptec
Founder and Director of R&D
--
You received this message because you are subscribed to the Google Groups
"elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4JtRqukiTdExzqinwZUBAh%3Dg5KnQ%3Dg2F%2BzvcQ%2BZvZhSLw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
