Critical vulnerabilities in open source forum platform NodeBB could allow attackers to steal private information and access admin accounts, researchers have warned.
NodeBB is a JavaScript-based forum software with more than 12,000 stars on GitHub.
Researchers from SonarSource found three separate vulnerabilities in the software, which if abused could lead to remote code execution (RCE) on the underlying server.
Multiple bugs
The three software issues identified in a blog post are a path traversal bug, a cross-site scripting (XSS) flaw, and an authentication bypass vulnerability.
The path traversal bug (CVE-2021-43788) allowed users to access JSON files outside of the expected languages/ directory and could allow attackers to leak potentially sensitive files, for example the NodeBB config or exported user profiles with personally identifiable information.
The XSS vulnerability (CVE-2021-43787) can be used by attackers to take over user accounts, including admin accounts. To be hijacked, victims only have to visit the profile or a forum post of a malicious user.
Finally, the authentication bypass bug (CVE-2021-43786) allows attackers to directly execute commands on the server using just a single request.
It can be abused regardless of NodeBB’s configuration and does not require the attacker to have an account, “making it pretty dangerous for unpatched instances”, explained researcher Paul Gerste, who found the bugs.
Simple but severe
Gerste told The Daily Swig: “The authentication bypass was interesting because it has a serious impact and the underlying flaw was caused by a detail of the JavaScript programming language.
“It is easy to overlook and it involves only basic JavaScript syntax, so it could be surprising for developers who do not know certain details of JavaScript that something as simple as that can lead to such a severe bug.”
Chained together, the three vulnerabilities could allow RCE on a NodeBB server, regardless of its configuration.
Importantly, this can be achieved without a NodeBB account or any information, meaning that potential perpetrators can directly attack any instance that is available on the internet.
A blog post from SonarSource contains full technical details of the vulnerabilities, which have been patched in the latest version.
NodeBB users are encouraged to update to at least version 1.18.5 to protect against the security flaws.
Speaking about the disclosure process, Gerste said it was “very smooth with no issues whatsoever”.
He added: “NodeBB has a bug bounty program, so it was clear how to contact them about security issues.
“The maintainers took our advisory seriously from the beginning and released a fix very quickly – 48 hours after the report [was made].
“They thanked us and awarded us with a $1,536 bounty.”
