Hi,
This report is about Directory Traversal vulnerability I found in html-pages
module.
Module:
html-pages is a module which allows to browse directories and serve static files in the browser. The vulnerability exists in the latest available version (2.0.7)
Link to npm page: https://www.npmjs.com/package/html-pages
Summary:
When html-pages server is run, browser does not allow toread files from arbitrary locations. However, I’ve noticed that using simple bypasses with %2e
(.) or %2f
(/) I can easily go up in the directory tree.
But it’s not possible to open any file in the browser, due to characters used in the path, only directory listing is available:
{F255390}
However, with simple curl
call we can read any file on the remote server where html-pages
runs:
$ curl -v --path-as-is http://localhost:8000/../../../../../Users/bl4de/.vimrc
{F255392}
Here is the part of the code, which read directory content, but does not validate against Directory Traversal in any way, which literally makes root
config setting useless:
https://github.com/danielcardoso/html-pages/blob/master/lib/server.js#L122
This vulnerability can be exploited regardless of some html-pages
configuration settings, like root
. All files on the server can be read by malicious user.
html-pages
$ npm install html-pages
html-pages
for serving static files from local server:const pages = require('html-pages')
const pagesServer = pages(__dirname, {
port: 8000,
'directory-index': '',
'root': './',
'no-clipboard': true,
ignore: ['.git', 'node_modules']
})
$ node app.js
127.0.0.1:8000
You should see all directories and files in the directory, where app.js
was run. Now, try to modify url into something like 127.0.0.1:8000/.%2e/.%2e/
- now content of directory two levels up in the file tree should be displayed. Try to open any directory or file (if available) by clicking on its name.You should notice that application actually hangs on.
$ curl -v --path-as-is http://127.0.0.1:8000/../../../../../etc/passwd
You should see the content of /etc/passwd
file:
{F255391}
Configuration I’ve used to find this vulnerability:
I hope this report will help to keep Node ecosystem more safe. If you have any questions about any details of this finding, please let me know in comment.
Thank you
Regards,
Rafal ‘bl4de’ Janicki
This vulnerability allows malisious user to read content of any file on machine where similar to presented app is running. This might expose vectors to attack system with Remote Code Execution, reveals files with usernames and passwords and many other possibilites.