From 2d733b70bfb10931c99a0a8f85f8253698ce4c18 Mon Sep 17 00:00:00 2001 From: Dorian Niemiec Date: Thu, 7 Sep 2023 18:00:58 +0200 Subject: [PATCH] Fix access control bypass vulnerability for non-proxy SVR.JS mods --- config.json | 4 ++-- svr.js | 14 ++++++++++++-- views.txt | 2 +- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/config.json b/config.json index 61a8b1a..307060d 100644 --- a/config.json +++ b/config.json @@ -3,7 +3,7 @@ "port": 80, "pubport": 80, "page404": "404.html", - "timestamp": 1694024561052, + "timestamp": 1694099048015, "blacklist": [], "nonStandardCodes": [], "enableCompression": true, @@ -102,4 +102,4 @@ "errorPages": [], "useWebRootServerSideScript": true, "exposeModsInErrorPages": true -} +} \ No newline at end of file diff --git a/svr.js b/svr.js index fc453c6..7d50da2 100644 --- a/svr.js +++ b/svr.js @@ -3274,9 +3274,19 @@ if (!cluster.isPrimary) { function modExecute(mods, ffinals) { // Prepare modFunction var modFunction = ffinals; - for (var i = mods.length - 1; i >= 0; i--) { - modFunction = mods[i].callback(req, res, serverconsole, responseEnd, href, ext, uobject, search, "index.html", users, page404, head, foot, fd, modFunction, configJSON, callServerError, getCustomHeaders, origHref, redirect, parsePostData); + var useMods = mods; + + if(isProxy) { + // Get list of forward proxy mods + useMods = []; + mods.forEach(function (mod) { + if (mod.proxyCallback !== undefined) useMods.push(mod); + }); } + + useMods.reverse().forEach(function (modO) { + modFunction = modO.callback(req, res, serverconsole, responseEnd, href, ext, uobject, search, "index.html", users, page404, head, foot, fd, modFunction, configJSON, callServerError, getCustomHeaders, origHref, redirect, parsePostData); + }); // Execute modfunction modFunction(); diff --git a/views.txt b/views.txt index 2ebc651..c227083 100644 --- a/views.txt +++ b/views.txt @@ -1 +1 @@ -56 \ No newline at end of file +0 \ No newline at end of file