Security vulnerability disclosure

[kazet]

Hello,

CERT PL found a security vulnerability in this repository. How can we report this privately? We don't see any security policy describing how such vulnerabilities should be reported.

[jan-vandenberg]

Please send to my personal email janvdberg at gmail

[kazet]

Thank you! You should have received a report.

[lukigruszka]

Hello,

CERT PL has sent you a report on 23rd of November and resent it on 18th of December.
Have you received any of them?

[jan-vandenberg]

Yes, but the mentioned finding applies to core/relations.php.
This is code that is NOT meant to be deployed.

Cruddiy GENERATES code that IS meant to be deployed, and any findings there are of greater importance (not the generator code).

That being said, we will of course try and look into it, but that explains a little bit why there wasn't a direct response.

[lukigruszka]

We are aware that this code is not meant to be deployed.
However, in a limited scope that vulnerability still poses a risk - when a user runs cruddiy locally and then enters a malicious website which performs such a crafted POST request to localhost, some arbitrary shell command will be executed on his/her machine.

[lukigruszka]

Hi, any updates on that? We would like to proceed with assigning a CVE for that vulnerability