node.js的ws模块存在远程内存泄露漏洞

近日，在允许用户通过简单地发送ping数据帧，来分配内存的ws模块中发现存在着漏洞。该漏洞会拒绝用户发送数据的请求，使用户发送ping数据帧功能失效，在此之前，还会加大数据帧的负载。 实际上，这就是漏洞的具体表现。但在模块中，ws通常将我们所要传入内存的所有数据进行相应的转换，这就是漏洞之所在。我们对所要发送数据的类型都没做任何检查。当你在node.js中需要存储一个数字时，该漏洞就会自动给数字分配一个存储大量字节的字符串空间，从而加大内存的负载。 var x = new Buffer100; // vs var x = new Buffer'100';...

'Ridiculous' Bug in Popular Antivirus Allows Hackers to Steal all Your Passwords

If you have installed Trend Micro's Antivirus on your Windows computer, then Beware. Your computer can be remotely hijacked, or infected with any malware by even through a website – Thanks to a critical vulnerability in Trend Micro Security Software. The Popular antivirus maker and security firm...

Trend Micro - node.js HTTP Server Listening on localhost Can Execute Commands

Trend Micro - node.js HTTP Server Listening on localhost Can Execute Commands Trend Micro Maximum Security 10 Exploit Sample exploit for Trend Micro Maximum Security 10. -- Tavis Ormandy. Command: Click Here to run the command above the default will uninstall Trend Micro Maximum. img...

Trend Micro - node.js HTTP Server Listening on localhost Can Execute Commands

Trend Micro Maximum Security 10 Exploit Sample exploit for Trend Micro Maximum Security 10. -- Tavis Ormandy. Command: Click Here to run the command above the default will uninstall Trend Micro Maximum...

Remote Memory Disclosure

Overview Versions of bittorrent-dht prior to 5.1.3 are affected by a remote memory disclosure vulnerability. This vulnerability allows an attacker to send a specific series of of messages to a listening peer and get it to reveal internal memory. There are two mitigating factors here, that slightl...

CVE-2015-8027

Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service uncaughtException and service outage via a pipelined HTTP request...

CVE-2015-8027

Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service uncaughtException and service outage via a pipelined HTTP request...

Cross site request forgery (csrf)

Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service uncaughtException and service outage via a pipelined HTTP request...

CVE-2015-8027

Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service uncaughtException and service outage via a pipelined HTTP request...

CVE-2015-8027

Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service uncaughtException and service outage via a pipelined HTTP request...

CVE-2015-8027

Technical details for CVE-2015-8027 are not publicly available in the provided connected documents. Monitor for updates from official advisories; current sources reiterate the description without specifics on affected versions, impact, or fixes.

CVE-2015-8027

Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service uncaughtException and service outage via a pipelined HTTP request...

Damn Vulnerable Node Application: DVNA

Damn Vulnerable Node Application DVNA is a node.js web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid...

Joyent Node.js Denial of Service Vulnerability

Joyent Node.js is the United States Joyent company's set of web applications built on top of Google V8 JavaScript engine platform. A security vulnerability in Joyent Node.js allows remote attackers to conduct denial of service attacks by submitting special requests...

nodejs: multiple issues

CVE-2015-6764 V8 out-of-bounds access vulnerability: A bug was discovered in V8's implementation of JSON.stringify that can result in out-of-bounds reads on arrays. The patch was included in this week's update of Chrome Stable. While this bug is high severity for browsers, it is considered lower...

December Security Release Summary

December Security Release Summary Last week we announced the planned release of patch updates to the v0.12.x, v4.x and v5.x lines to fix two vulnerabilities. That was further amended by the announcement of OpenSSL updates with fixes for vulnerabilities labelled medium severity. The OpenSSL update...

December Security Release Schedule Update

December Security Release Schedule Update The OpenSSL project announced today that they will be releasing security updates for versions 1.0.2, 1.0.1, 1.0.0 and 0.9.8 on the 3rd of December UTC. The updates will fix a number of security defects, the highest of which is classified as "moderate"...

Node.js facing two important security vulnerabilities, plans next week to repair-vulnerability warning-the black bar safety net

Node.js the Foundation disclosed a denial of service and a bounds access vulnerabilities, plan next week to provide a patch upgrade fixes two critical vulnerabilities. Node.js Foundation today released the announcement, the most popular server-side JavaScript platform contains "a high-strength...

CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability This announcement is for: CVE-2015-8027: a high-impact denial of service vulnerability CVE-2015-6764: a low-impact V8 out-of-bounds access vulnerability CVE-2015-8027 Denial of Service Vulnerabilit...

Toxy - Hackable Http Proxy To Simulate Server Failure Scenarios And Network Conditions

Toxy is a fully programmatic and hackable HTTP proxy to simulate server failure scenarios and unexpected network conditions , built for node.js / io.js . It was mainly designed for fuzzing/evil testing purposes, when toxy becomes particularly useful to cover fault tolerance and resiliency...