Comments (9)
JMSDOnline
commented on July 22, 2024
2
@omridon See the updated readme here. The update may additionally be done within QuickBox CE by clicking the "Run Updater" button.
@JamieSlome, as per what was brought to my attention, reproduced, tested and confirmed no longer an active RCE, we can report this as fixed. I had forgotten to push up the commit to finalize this as it was reported to me over the Holiday period and in the midst of heavy developments with the upcoming QuickBox Pro v3. So I did miss pushing up some commits. These should all be present and accounted for.
@websecnl, big credits to you guys for all that you do. It's a pleasure having you make my day a big ball of stress!!!
from qb.
websecnl
commented on July 22, 2024
Hey there!
I belong to an open source security research community, and a member (@websecnl) has found an issue, but doesnβt know the best way to disclose it.
If not a hassle, might you kindly add a
SECURITY.mdfile with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
Assigned CVE so far: CVE-2021-44981
(More CVE's are to be assigned as there where a total of 5 findings reported)
from qb.
JMSDOnline
commented on July 22, 2024
Patched in both CE and Pro
from qb.
omridon
commented on July 22, 2024
hi where is the patch?
from qb.
JamieSlome
commented on July 22, 2024
@JMSDOnline - are we able to mark the report as valid and fixed appropriately, if the issue on the report is fixed?
https://huntr.dev/bounties/c4b4b746-a3b9-4f20-910c-4f63e88ce689/
Thanks!
from qb.
websecnl
commented on July 22, 2024
https://huntr.dev/bounties/c4b4b746-a3b9-4f20-910c-4f63e88ce689/
Thanks Jamie, but special thanks goes to the developers of Quickbox who have taken this report very seriously and implemented a remediation to the old config.php file very quickly.
CVEs List (2/6) , will update this once more CVE numbers get approved by MITRE:
Security Researchers: Joel Aviad Ossi, Jelle Ermerins, Alexander Bode
For every other security researcher reading this:
QuickBox now has a responsible disclosure mail: [email protected]
Send your reports to there
from qb.
JamieSlome
commented on July 22, 2024
@JMSDOnline - amazing, are you able to confirm what is the patch commit SHA that addresses this issue, so we can confirm it against the report?
https://huntr.dev/bounties/c4b4b746-a3b9-4f20-910c-4f63e88ce689/
Great work to all involved
from qb.
websecnl
commented on July 22, 2024
@JMSDOnline - amazing, are you able to confirm what is the patch commit SHA that addresses this issue, so we can confirm it against the report?
https://huntr.dev/bounties/c4b4b746-a3b9-4f20-910c-4f63e88ce689/
Great work to all involved
β€οΈ
from qb.
JamieSlome
commented on July 22, 2024
@websecnl - thanks for this!
Confirmed against the report
from qb.
Related Issues (20)
- VSFTP very slow !
- Fully and properly uninstall quickbox
- Deluge link in Quickbox dashboard is broken
- unable to install mentioning wrong OS
- unable to upgrade plex HOT 1
- E: Could not get lock /var/lib/dpkg/lock-frontend - open (11: Resource temporarily unavailable)
- [Feature Request] Docker app in package manager
- All environment variables in /etc/profile are cleared HOT 1
- unable to create new user HOT 2
- Typo in cronjob for letsencrypt renewal HOT 1
- emby installs a old version
- Plex crash after each update HOT 1
- update new sonarr rep
- Error downloading files. Make sure autodl-irssi is started and configured properly (eg. password, port number): Error getting files listing: Error: Could not connect: (111) Connection refused HOT 1
- Seeing clearly HOT 3
- 16.04 EOL in April HOT 1
- RTorrent does not work
- ftp HOT 7
- clean uninstall
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from qb.