You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
you can see $ pip install ap-loadtester, you can see I have taken it over https://pypi.org/project/ap-loadtester/
(in Maintainers)\ when you install it, it will install my pip package
{panel}
┆Issue is synchronized with this [Jira Bug](https://mozilla-hub.atlassian.net/browse/SYNC-3860)
┆Attachments: <a href="https://mozilla-hub.atlassian.net/rest/api/2/attachment/content/40617">[F2576644] image.png</a>
The text was updated successfully, but these errors were encountered:
The repo you site autopush-loadtester is a very old test script for the original autopush repo which has been replaced by this repo. It was never meant to be installed by pip (and clearly so, because the setup.py would have created a different named repo anyway. 🤦🏻♂️ )
I've corrected the README on the autopush-loadtester repo to remove references to ap-loadtester, as well as archived the repo.
Clearly, there are a lot of old bits and pieces lying around that have not yet been cleaned up properly. Thank you for helping us find one.
HackerOne Report: https://hackerone.com/reports/2097694
Report Date: 2023-08-05 17:06:15 UTC
Reporter: anupamas01
Weakness: Code Injection
Initial Report:
{panel}
Summary:
hello team,
I found a pip package by which I can run malicious commands.
Steps To Reproduce:
[add details for how we can reproduce the issue]
( as it is highly been used i have not uploaded a higher version which may affect the production)
$ pip install ap-loadtester
, you can see I have taken it over https://pypi.org/project/ap-loadtester/(in Maintainers)\ when you install it, it will install my pip package
POC
https://pypi.org/project/ap-loadtester/
( right now I am not uploading any code , if program allows i will upload )
POC
https://pypi.org/project/ap-loadtester/
Impact
code injection through the pip package
thanks
AnupamAs01
The text was updated successfully, but these errors were encountered: