We have discovered security vulnerabilites in those SVR.JS mods. Fortunately we have patched those mods. But it’s recommended to upgrade these mods immediately.
Patched versions:
RedBrick 2.3.3 and newerreverse-proxy-mod 1.0.4 and newerOrangeCircle 1.0.2 and newerYellowSquare 1.0.1 and newer
Unpatched versions have various configuration file and source code leakage vulnerabilities. You can view our security advisory.
UPDATE: We discovered this vulnerability: “An attacker could hack the upstream server, replace the web server or application with one that sends an invalid HTTP response code, and make a request to the hacked server through the reverse proxy to crash the reverse proxy server”. The vulnerability is patched in reverse-proxy-mod 1.1.2 and newer.
UPDATE 2: We have discovered and mitigated even more security vulnerabilites in RedBrick, OrangeCircle and YellowSquare. We recommend to upgrade your SVR.JS mods to patched versions immediately.
Patched versions:
- RedBrick 2.5.4 and newer
- OrangeCircle 1.0.4 and newer
- YellowSquare 1.0.4 and newer
With unpatched versions, an attacker could add HTTP authentication header to the HTTP request when not required to enable web application functionality normally disabled on unauthenticated requests. You can view our security advisory.