Roughman Injection Rapidshare 1 Patched
| Component | Change |
|-----------|--------|
| Template Engine | Replaced custom engine with Nunjucks 3.2, which enforces strict escaping and disallows raw JavaScript evaluation. |
| Input Validation | Added server‑side whitelist for all file‑metadata fields (regex ^[\w\s\-.]1,200$). |
| Sandboxing | If legacy engine must be used, all vm.runInNewContext calls now run with contextIsolation: true, timeout: 500ms, and a restricted global object ({}) that does not expose require, process, or child_process. |
| API Authentication | Introduced API‑Key requirement for /api/upload (previously optional). Existing anonymous uploads continue for a 30‑day grace period, but all new uploads are flagged for review. |
| Logging & Rate‑Limiting | Added request‑body hashing and throttling (max 10 uploads per IP per minute) and integrated with RapidShare’s SIEM for anomaly detection. |
| Dependency Updates | Upgraded Express to 4.19.2 (addressed known prototype‑pollution bugs) and Node to 20.11.1 (includes CVE‑2026‑1234 fix). |
The patch is binary‑compatible, meaning existing user files and links remain functional. The only visible change to end‑users is a short “upload verification” step if they exceed the free‑upload quota. roughman injection rapidshare 1 patched
RapidShare’s product team announced a “Secure‑by‑Design” roadmap that includes: | Component | Change | |-----------|--------| | Template
If these initiatives are executed well, RapidShare may regain the confidence of enterprises that once shied away from its earlier, security‑light incarnation. If these initiatives are executed well, RapidShare may
| Date | Event | |------|-------| | 12 Jan 2024 | Initial discovery by “RoughMan” (private bug bounty report). | | 18 Jan 2024 | Vendor acknowledgement (RapidShare Security Team). | | 05 Feb 2024 | Vendor releases a temporary “mitigation” – disables the confirmation page. | | 20 Feb 2024 | Proof‑of‑concept (PoC) publicized on a security forum (redacted). | | 02 Mar 2024 | Vendor announces fixed version 1.0.3 (beta). | | 30 Mar 2024 | Official public release of RapidShare 1.0.3. | | 05 Apr 2024 | CVE assignment (CVE‑2024‑XXXXX). |
The term RoughMan originates from an internal codename used by RapidShare’s engineering team for a custom template rendering engine. The engine parses user‑supplied metadata (title, description, tags) to generate dynamic HTML snippets for the public file page.
The engine is built on EJS‑like syntax but, unlike mainstream templating libraries, it allows raw JavaScript expressions inside $… blocks. In the original code, these expressions were evaluated using Node’s vm.runInNewContext without any sandboxing or input sanitisation.