Vigil@nce - Node.js hapi: bypassing restrictions
February 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can bypass CORS rules of Node.js hapi, in order to
access to some resources.
Impacted products: Node.js Modules not comprehensive.
Severity: 2/4.
Creation date: 29/12/2015.
DESCRIPTION OF THE VULNERABILITY
The Node.js hapi product uses CORS (Cross-origin resource
sharing), which defines access controls for resources.
However, when configurations are combined, the generated
configuration is less restrictive.
An attacker can therefore bypass CORS rules of Node.js hapi, in
order to access to some resources.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Node-js-hapi-bypassing-restrictions-18609