I would like to report Stored XSS in module “http-file-server”.
It allows to inject malicious scripts in the file name, store them on the server, then execute these scripts in the browser via the XSS vulnerability.
module name: http-file-serverversion:0.2.6npm page: `https://www.npmjs.com/package/http-file-server
Simple HTTP file server (Node.JS)
[0] downloads in the last day
[1] downloads in the last week
[47] downloads in week 02-08 Apr 2019
[40] downloads in week 09-15 Apr 2019
[120+] downloads in the last month
This XSS vulnerability occurs due to the module represents filename(s) in HTML without any sanitization in listing directory page. In a result, any malicious scripts which are injected and stored on the server, would be executed in the client’s browser.
npm install -g http-file-server
" onmouseover=alert(1) "
{F486137}
http-file-server
or
nodejs /usr/lib/node_modules/http-file-server/http-file-server.js
Open http://localhost:8080/
{F486135}
When mouseover event is trigger, a message will be popup via XSS vulnerability.
{F486136}
User input should be properly sanitized and filtered both at the client and server side. Dangerous characters such as < > ’ " % ; ) ( & + should either be disallowed or HTML encoded before displaying them on screen.
It allows to inject malicious scripts in the file name, store them on the server, then execute these scripts in the browser via the XSS vulnerability.