Hacker News new | past | comments | ask | show | jobs | submit login

So if an attacker already has access to your filesystem to modify your files, they can install stuff?

By this time it's already too late.

There's different levels of 'filesystem access' vulnerabilities.

Some classes of bugs that would be otherwise tame due to the constraints (eg., file upload that might be able to only create new files in some part of the directory tree, or a buggy routine that lets you create arbitrary symlinks, or leftover VCS/CM files that happen to end in .js and are not filtered out by the router) now become the most powerful kind, remote code execution.

Exploiting auto-downloading modules requires that the filesystem's already been exploited to the point where the app's code can be modified.

I could add `require('foo')` but I could also just require no third party code and have fun with the `process` module.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact