Here at NodeBB, we pride ourselves on producing high-quality and secure code, and we regularly put that to the test by utilising our own software1. However, no code is 100% perfect, and there are some vulnerabilities and bugs that could critically impact running instances of NodeBB.
As of November 2017, we've launched a bug bounty program to supplement our efforts to find these vulnerabilities and to reward those who submit them to us for fixing. Security vulnerabilities can be reported to the NodeBB team by emailing firstname.lastname@example.org.
We take every issue seriously, and aim to triage and deploy a fix as soon as possible.
Our mean time for a first response is: < 1 day.
Our mean time for a committed fix is: 2-3 days.
We will award bounties for verified and qualified vulnerabilities as follows:
- Medium ($128)
- CSRF / exploit that causes a user to perform an operation they didn't explicitly consent to
- Exposure of private user data or content (e.g. exposure of private posts or user email/IP address, etc.)
- High — XSS exploits and account takeovers ($256)
- Critical — exploit resulting in privilege escalation to admin, or downloading the site database ($512+)
Notes and Limitations
- Report all bugs to email@example.com. Posts to our forum or emailed directly to someone at the NodeBB team may result in delays.
- Please test and report against our testbed instance: https://try.nodebb.org . It runs the latest released NodeBB code, and is updated one day after the latest release.
- We reserve the right to reject a vulnerability report if it has been reported by someone else before you.
- Social engineering attacks and physical attacks are not covered under the bug bounty umbrella
- Only the core code and bundled plugins qualify for the bug bounty. Third-party plugins are not covered. The following modules are considered "bundled":
We'll do our best to prioritise security issues over any other issues at NodeBB, so we would kindly ask you to hold off on disclosure until a time is agreed-upon (typically 30-90 days).
1 Actually, it'd be a little sad if we didn't, wouldn't it?
The following vulnerabilities have been identified and resolved. They are disclosed below for transparency reasons, as well as to reward those users who have spent time and effort to discover them.
|16/8/2017||XSS||XSS in chat using an SVG tag as payload||Jigar Thakkar||High ($256)||Resolved in df069ee, released in v1.6.0|
|16/8/2017||Bug||window.opener is defined in target="_blank" links||Jigar Thakkar||High ($256)||https://mathiasbynens.github.io/rel-noopener
Fixed in Markdown and IFramely plugins
|16/8/2017||Bug||Password reset route needs brute force prevention measures||Jigar Thakkar||Medium ($128)||Fixed in v1.6.0|
|16/8/2017||XSS||XSS in Moderation Note at user info page||Jigar Thakkar||High ($256)||Fixed in dc9b210, released in v1.6.0|
|15/9/2017||Bug||Information disclosure in groups api||Andrew Cook||Medium ($128)||Fixed in https://github.com/NodeBB/NodeBB/commit/4c0d4308192d754d51ef4f9a0b831cb2f64ca81d, released in v1.6.1|
|13/10/2017||XSS||XSS in flag list and details page||Private Party||N/A||Fixed in https://github.com/NodeBB/NodeBB/commit/b44cfacda1800ff193987fabd1a64a22fd7a981d, released in v1.7.0|
|31/10/2017||XSS||Stored XSS due to vulnerable image upload handling||Alexander Antukh||High ($256)||Fixed in https://github.com/NodeBB/NodeBB/commit/18f4f27fe0757ca11e4d54ab8ed38dc02ab3dbbb, released in v1.7.0|
|8/11/2017||Bug||Unintentional leakage of private user information in users API||Artur Matczak||Medium ($128)||Fixed as part of https://github.com/NodeBB/NodeBB/issues/5804, released in v1.7.0|
|29/11/2017||Bug||Message retrieval via socket (mid) doesn't check uid||Alexander Antukh||Medium ($128)||Fixed in b19310049d9c2e55f88b05a25fafff3e7752e6cf, released in v1.7.2|
|30/11/2017||XSS||Stored XSS in x-forwarded-for, X-Forwarded-For: <script>alert("XSS")</script>||Alexander Antukh||High ($256)||Fixed in a7a3f3619b070ce000c91321f13eb38e561fdc4b, released in v1.7.2|
|1/12/2017||XSS||Stored XSS in the admin panel (registration queue), script in email field||Alexander Antukh||High ($256)||Fixed in e3fd4020706ae1e44c92bc3da1b0385d628c503f, released in v1.7.2|
|1/12/2017||Bug||User list CSV DoS if referenced as image and pasted many many times||Alexander Antukh||Medium ($128)||Fixed in e6d31c8bd212d46272864103896728b70602c2da, released in v1.7.2|
|11/12/2017||Bug||Information disclosure (IP addresses) via post-geolocation||Artur Antczak||Medium ($128)||Fixed in NodeBB/nodebb-plugin-post-geolocation@168e5c2e417127ef1995259230f61cecdedbac17|
|14/12/2017||Bug||Image upload by URL can leak port status via reflection||Private Report||Fixed in 88b47f357bd340955264bd2e5130805259285ed0, released in v1.7.3|
|15/1/2018||Bug||Reset token contained in Referer header when navigating to external links||Ali Razzaq||Low ($64)||Fixed in f138d3cb70e96a6124c543092397c907d959d9d5, released in v1.7.4|
|20/2/2018||Bug||Token leak in referer header from external resources loaded in reset confirmation page||Private Report||Low ($64)||Fixed in 7edc58b727781ac6a1097ebe4b8789f4afcfc02d, released in v1.8.0|
|21/2/2018||Bug||Strict transport security not enforced||Private Report||Low ($64)||Fixed in 98b0bdc7e10dcaa524ca9476ee5262242d2a6ebc, released in v1.8.0|
|26/3/2018||Bug||Password Policy not enforced in password reset route||Mohammed Abdul Raheem||Low ($64)||Fixed in 9aa9183cc3e90d0bbd9e94e7612b264ed6d00c9a, released in v1.8.2|
|3/4/2018||Bug||window.opener exposed on outgoing links opened in new tab||Albin Thomas||Low ($64)||Fixed in 5593a3e9ad60e0dbfaeb3232ac899ad0da1eea45, released in v1.8.2|
|12/4/2018||XSS||Emoji are not sanitized when put into a link or image URL.||Larry Yuan||Very Low ($0, not exploitable)||Fixed and released in firstname.lastname@example.org|
|3/6/2018||Bug||Window opener is available if user specifies opening of external links in new tab (noopener not adhered to by ajaxify)||Albin Thomas||Low ($64)||Fixed in a3e724e134894860c607e5a9980a308684288c57, released in v1.10.0|
|5/6/2018||CSRF||SSO implementation missing CSRF/state/nonce protection||Larry Yuan||High ($256)||Fixed in ec91ef1c644044bba44198b031913655e784b4bb, released in v1.10.0|