Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix security patch regression #1990

Closed
Sing-Li opened this issue Jan 20, 2016 · 4 comments · Fixed by #2953
Closed

fix security patch regression #1990

Sing-Li opened this issue Jan 20, 2016 · 4 comments · Fixed by #2953
Labels
subj: security type: bug
Milestone
0.28.0

Comments

@Sing-Li
Copy link
Member

Sing-Li commented Jan 20, 2016

Recent changes have caused regression.

screen shot 2016-01-20 at 9 35 32 am
@engelgabriel engelgabriel added this to the Next milestone Feb 22, 2016
@engelgabriel
Copy link
Member

We should have a blacklist of IPs and domains for the previews

@samhocevar
Copy link

This is tagged security, but there is no description of the bug. How does this affect users?

@engelgabriel engelgabriel modified the milestones: 0.27.0, Important Apr 13, 2016
@engelgabriel
Copy link
Member

If you have a web service running on the same machine as Rocket.Chat, that does't have password, and a user sends a message with a URL like https://localhost:3000 the system will do a HTTP GET on that address and display the title of the response.

@Sing-Li
Copy link
Member Author

Sing-Li commented Apr 13, 2016

👍 or for the security researcher types ....

vulnerability : bot port scanner against the underlying server or virtualization host

Original discovery credit goes to @sinteur (Radically Open Security)

@marceloschmidt marceloschmidt modified the milestones: 0.27.0, 0.28.0 Apr 18, 2016
@marceloschmidt marceloschmidt mentioned this issue Apr 19, 2016
Merged
engelgabriel pushed a commit that referenced this issue Apr 19, 2016
@marceloschmidt @engelgabriel
Closes #1990 Add setting to ignore hosts or CIDR addresses in Embed. (#…
80a47a0 
…2953)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
subj: security type: bug
Projects
None yet
Milestone
0.28.0
Development

Successfully merging a pull request may close this issue.

Add setting to ignore hosts or CIDR addresses in Embed. RocketChat/Rocket.Chat
4 participants
@Sing-Li @samhocevar @engelgabriel @marceloschmidt