Personal data, account access is at risk
Critical vulnerabilities in open source forum platform NodeBB could allow attackers to steal private information and access admin accounts, researchers have warned.
Researchers from SonarSource found three separate vulnerabilities in the software, which if abused could lead to remote code execution (RCE) on the underlying server.
The path traversal bug (CVE-2021-43788) allowed users to access JSON files outside of the expected languages/ directory and could allow attackers to leak potentially sensitive files, for example the NodeBB config or exported user profiles with personally identifiable information.
The XSS vulnerability (CVE-2021-43787) can be used by attackers to take over user accounts, including admin accounts. To be hijacked, victims only have to visit the profile or a forum post of a malicious user.
Finally, the authentication bypass bug (CVE-2021-43786) allows attackers to directly execute commands on the server using just a single request.
It can be abused regardless of NodeBB’s configuration and does not require the attacker to have an account, “making it pretty dangerous for unpatched instances”, explained researcher Paul Gerste, who found the bugs.
Simple but severe
Chained together, the three vulnerabilities could allow RCE on a NodeBB server, regardless of its configuration.
Importantly, this can be achieved without a NodeBB account or any information, meaning that potential perpetrators can directly attack any instance that is available on the internet.
A blog post from SonarSource contains full technical details of the vulnerabilities, which have been patched in the latest version.
NodeBB users are encouraged to update to at least version 1.18.5 to protect against the security flaws.
Speaking about the disclosure process, Gerste said it was “very smooth with no issues whatsoever”.
He added: “NodeBB has a bug bounty program, so it was clear how to contact them about security issues.
“The maintainers took our advisory seriously from the beginning and released a fix very quickly – 48 hours after the report [was made].
“They thanked us and awarded us with a $1,536 bounty.”