There's different levels of 'filesystem access' vulnerabilities. Some classes of... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		q3k on Feb 26, 2019 \| parent \| context \| favorite \| on: Show HN: Zero – A fast, zero-configuration server ... There's different levels of 'filesystem access' vulnerabilities. Some classes of bugs that would be otherwise tame due to the constraints (eg., file upload that might be able to only create new files in some part of the directory tree, or a buggy routine that lets you create arbitrary symlinks, or leftover VCS/CM files that happen to end in .js and are not filtered out by the router) now become the most powerful kind, remote code execution.

nailer on Feb 26, 2019 [–]

Exploiting auto-downloading modules requires that the filesystem's already been exploited to the point where the app's code can be modified.

I could add `require('foo')` but I could also just require no third party code and have fun with the `process` module.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact