Pac mania
A popular NPM code library called Pac-Resolver has been updated to eliminate a severe remote-code execution vulnerability. Developers who have incorporated the package into their applications should make sure to update their dependencies to be rid of the bug, and provide necessary updates to users to secure them. Essentially, any app using the vulnerable code to handle internet proxies potentially can end up executing malicious code if it is given booby-trapped proxy configuration information, which can come from multiple sources. On Tuesday, Tim Perry, who makes a developer tool called HTTP Toolkit, explained how he found the flaw, disclosed about a week ago as CVE-2021-23406, when adding proxy support to his software. Pac-Resolver, downloaded more than three million times per week, provides support for «Proxy Auto-Config» (PAC) files, which tell HTTP clients which proxy to use for a given hostname. «PAC files provide a way to distribute complex proxy rules, as a single file that maps a variety of URLs to different proxies,» Perry explains in an advisory. «They’re widely used in enterprise environments, and so often need to be supported in any software that might run in an enterprise environment.» These files may be distributed from a local network server, over HTTP, or from a remote server, a method common enough that there’s a standard called WPAD (Web Proxy Auto-Discovery Protocol) to automate PAC file discovery.
