Update to version 4.1.0
A high-impact vulnerability has been found in the Parse Server platform that could result in a user’s account being compromised.
Parse Server is an open source version of the Parse backend platform that can be used for any application running Node.js.
The reported issue, allocated a 7.5 CVSS base score, lies in how the platform implements the regular expression (regex) feature.
Regex is a search function that allows a user or developer to search for matching patterns in multiple applications.
An attacker could take advantage of this functionality in Parse Server by applying a regex to find a match to a user’s session key simply by guessing.
This would permit an attacker to take over an account without user interaction.
Parse Server versions 4.0.2 and below are affected. Users are advised to update to version 4.1.0, which includes the necessary mitigations.
The vulnerability was first disclosed in a bug report posted by Arthur Cinader on GitHub.
“Using the NoSQL, you can use a regex on sessionToken (_SessionToken":{"$regex":"r:027f}} and find valid accounts this way,” Cinader’s post reads.
Updating the query does not yield the same unauthorized authentication, it said.
However, a similar bug reported in the same GitHub post can be exploited in order to obtain improper authorization through a password reset request.
By using a person’s email address an attacker would “simply use regex in the token param to verify the email”, the post said.
“The same thing can be done for reset password.”
The post added: “You may need to do it a few times with a different letter/number, but as long as the tokens contain the character it will succeed.”
This regex attack is a class of MongoDB hash injection attack, as described in a research post from 2014.
YOU MIGHT ALSO LIKE Blind regex injection: Theoretical exploit offers new means of forcing web apps to spill secrets
