Hi Guys,
simplehttpserver allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript.
Module:
‘simpehttpserver’ is simple imitiation of python’s SimpleHTTPServer and intended for testing, development and debugging purposes
https://www.npmjs.com/package/simpehttpserver
Description
This issue is another example of lack of output sanitization.
Here’s source code, which allows to embed HTML in file name and run attack presented in PoC section (./node_modules/simplehttpserver/simplehttpserver.js, lines 106-117):
// Check for each file if it's a directory or a file
var q = async.queue(function(item, cb) {
fs.stat(path.join(pathname, item), function(err, stat) {
if ( !stat ) cb();
if ( stat.isDirectory() ) {
ulist.push('<li><a href>'+item+'/</a></li>')
} else {
ulist.push('<li><a href>'+item+'</a></li>')
}
cb();
});
}, 4);
As you can see, item
is output directly into HTML without any sanitization.
In the directory which will be served via simple-server
, create file with following name:
javascript:alert('You are pwned!')
Run simplehttpserver
in directory with file with changed filename:
$ ./node_modules/simplehttpserver/cli.js
Listening 0.0.0.0:8000 web root dir /Users/bl4de/playground/node_bugbounty_playground
and open http://127.0.0.1:8000
in the browser.
Try to open file with name javascript:alert('You are pwned!')
by clicking it.
{F257774}
Configuration I’ve used to find this vulnerability:
I hope this report will help to keep Node ecosystem more safe. If you have any questions about any details of this finding, please let me know in comment.
Thank you
Regards,
Rafal ‘bl4de’ Janicki
This vulnerability can be used to eg. download malware via “drive-by-download” attacks. Also, as described in other modules I’ve reported similar vulnerabilty, an iframe with malicious JS file loaded from external resource can be executed.
This vulnerability can be used to eg. download malware via “drive-by-download” attacks. Also, as described in other modules where I’ve reported similar vulnerabilty, an iframe with malicious JS file loaded from external resource can be executed.